How to Configure SSL Certificate in Tomcat

Last updated June 25, 2018 by
Security, Tomcat , , , , , ,

We are assuming that you already have installed working Tomcat server in your system. If not you can visit to earlier article Install Tomcat 7 on CentOS, RHEL or Ubuntu, Debian Systems. This article can be used for Linux as well as Windows hosts both, the only thing we need to change directory path of keystore.

Step 1 – Create a Keystore

A Java KeyStore (JKS) is a repository of security certificates. keytool is the command line utility for creating and managing keystore. This command is available with JDK and JRE both. We just need to make sure that JDK or JRE is configured with PATH environment variable.

keytool -genkey -alias svr1.tecadmin.net -keyalg RSA -keystore /etc/pki/keystore

[Samle Output]

Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Rahul Kumar
What is the name of your organizational unit?
  [Unknown]:  Web
What is the name of your organization?
  [Unknown]:  TecAdmin Inc.
What is the name of your City or Locality?
  [Unknown]:  Delhi
What is the name of your State or Province?
  [Unknown]:  Delhi
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Rahul Kumar, OU=Web, O=TecAdmin Inc., L=Delhi, ST=Delhi, C=IN correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):
Re-enter new password:

Step 2 – Get CA Signed SSL [ Ignore SelfSigned Users ]

You don’t need to do this step if you are going to use self-signed SSL certificate. If you want to purchase a valid ssl from certificate authorities, then you need to first create a CSR, Use the following command to do it.

Create CSR:

keytool -certreq -keyalg RSA -alias svr1.tecadmin.net -file svr1.csr -keystore /etc/pki/keystore

Above command will prompt for keystore password and generate the CSR file. Use this CSR and purchase ssl certificate from any certificate authorities.

After issued certificate by CA, you will have following files – root certificate, intermediate certificate, and certificate file. In my case the filenames are

A. root.crt (root certificate)
B. intermediate.crt (intermediate certificate)
C. svr1.tecadmin.net.crt ( Issued certificate by CA )

Install the root certificate:

keytool -import -alias root -keystore /etc/pki/keystore -trustcacerts -file root.crt

Install the intermediate certificate:

keytool -import -alias intermed -keystore /etc/pki/keystore -trustcacerts -file intermediate.crt

Install the issued certificate:

keytool -import -alias svr1.tecadmin.net -keystore /etc/pki/keystore -trustcacerts -file svr1.tecadmin.net.crt

Step 3 – Setup Tomcat Keystore

Now go to your Tomcat installation directory and edit conf/server.xml file in your favorite editor and update the configuration as below. You may also change the port from 8443to some other port if required.

    <Connector port="8443" protocol="HTTP/1.1"
                connectionTimeout="20000"
                redirectPort="8443"
                SSLEnabled="true"
                scheme="https"
                secure="true"
                sslProtocol="TLS"
                keystoreFile="/etc/pki/keystore"
                keystorePass="_password_" />

Step 4 – Restart Tomcat

Use your init script (if have) to restart tomcat service, In my case i use shell scripts (startup.sh and shutdown.sh) for stopping and starting tomcat.

./bin/shutdown.sh
./bin/startup.sh

Step 5 – Verify Setup

As we have done all the required configuration for tomcat setup. lets access tomcat in your browser on the configured port in step 2.

tomcat-with-ssl

Note: This article has been tested with Tomcat 7 on CentOS 6.5 using Java 8.

Rahul K.
Rahul K.
Connect on Facebook Connect on Twitter Connect on Google+

I, Rahul Kumar am the founder and chief editor of TecAdmin.net. I am a Red Hat Certified Engineer (RHCE) and working as an IT professional since 2009..

Related Posts

4 Comments

  1. sac Reply to sac
    June 22, 2018 at 10:54 am

    Hi Rahul,
    I am trying to enable Https by installing ssl in my centOS 7 tomcat server. I have received ssl certificate from Godaddy but while creating csr I have used “openssl req -new -newkey rsa:2048 -nodes -keyout myperimetrix.key -out myperimetrix.csr Generating a 2048 bit RSA private key” command to generate csr and no idea about how to proceed. your commands looks very easy to me to install, so trying to follow you. Now should i need to regenerate csr to install ssl? is it possible to run all these commands outside root as i don’t want to disturb my server?

    • Rahul K. Rahul K. Reply to Rahul
      June 25, 2018 at 7:14 am

      Hi Sachin,

      As you wrote, you already get an certificate from Godaddy. So you must have CSR and Private key used to issue certificate from Godaddy. You can use the same for installing on your Tomcat.

      In case you lost the Private key and CSR. You need generate a new Private and CSR on your system and then ReKey your certificate on Godaddy.

  2. arun Reply to arun
    October 4, 2017 at 11:31 am

    good one.thankss

  3. Jonathan Reply to Jonathan
    June 22, 2014 at 3:30 am

    Thank you very much for this tutorial. I want to configure my tomcat instance in order to get only SSL access to my webapps, so I’m following your instructions, however I can’t be able to connect trought 8443 or https port/protocol, only the regular 8080 it’s active. I want to use a SelfSigned certificate in order to see if SSL work and then buy a trusted certificate but in your instructions I can see that you import the trusted certificate, is not necessary to create the SelfSigned certificate and import it as well? Thanks in advance for your support to this noob.

Leave a Reply

All rights reserved. © 2013-2018 TecAdmin.net. This site uses cookies. By using this website you agree our term and services