I have an Apache Tomcat server that was using a jks keystore; but when I got a new certificate it was having an issue with the trust chain when I updated the certificate. Since this is a tomcat server running on windows; I decided to move to a PFX certificate. You can read my post on How to create a PFX Certificate if you need more information on how to do that.
For pathing the .pfx certificate is in the tomcat directory where the original jks keychain is. To change the certificate we have to update the server.xml file. Specifically where we have the SSL Connector connecting. When updating the connector be sure to stop the apache tomcat service and restart it after the update.
<!-- Define a SSL HTTP/1.1 Connector on port ****
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="****"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
connectionTimeout="20000"
URIEncoding="UTF-8"
compression="on"
compressionMinSize="1000"
noCompressionUserAgents="gozilla, traviata"
compressableMimeType="text/html,text/xml,text/css,text/javascript"
xpoweredBy="false"
scheme="https"
secure="true"
keystoreFile="$KeystoreFile"
keystorePass="$KeystoreFilePassword"
clientAuth="false"
sslProtocol="TLS"
server="$SERVER.DOMAIN.CA"
/>
What we need to update is add the keystoreType to the serverXML file
Once the update is complete and Apache Tomcat has been restarted; you can check your certificate chain using SSL Shopper
