Facebook Twitter Instagram
    TecAdmin
    • Home
    • FeedBack
    • Submit Article
    • About Us
    Facebook Twitter Instagram
    TecAdmin
    You are at:Home»Security»How to Configure SSL Certificate in Tomcat

    How to Configure SSL Certificate in Tomcat

    By RahulJune 12, 20143 Mins ReadUpdated:June 25, 2018

    We are assuming that you already have installed working Tomcat server in your system. If not you can visit to earlier article Install Tomcat 7 on CentOS, RHEL or Ubuntu, Debian Systems. This article can be used for Linux as well as Windows hosts both, the only thing we need to change directory path of keystore.

    Advertisement

    Step 1 – Create a Keystore

    A Java KeyStore (JKS) is a repository of security certificates. keytool is the command line utility for creating and managing keystore. This command is available with JDK and JRE both. We just need to make sure that JDK or JRE is configured with PATH environment variable.

    keytool -genkey -alias svr1.tecadmin.net -keyalg RSA -keystore /etc/pki/keystore
    

    [Samle Output]

    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  Rahul Kumar
    What is the name of your organizational unit?
      [Unknown]:  Web
    What is the name of your organization?
      [Unknown]:  TecAdmin Inc.
    What is the name of your City or Locality?
      [Unknown]:  Delhi
    What is the name of your State or Province?
      [Unknown]:  Delhi
    What is the two-letter country code for this unit?
      [Unknown]:  IN
    Is CN=Rahul Kumar, OU=Web, O=TecAdmin Inc., L=Delhi, ST=Delhi, C=IN correct?
      [no]:  yes
    
    Enter key password for 
            (RETURN if same as keystore password):
    Re-enter new password:
    
    

    Step 2 – Get CA Signed SSL [ Ignore SelfSigned Users ]

    You don’t need to do this step if you are going to use self-signed SSL certificate. If you want to purchase a valid ssl from certificate authorities, then you need to first create a CSR, Use the following command to do it.

    Create CSR:

    keytool -certreq -keyalg RSA -alias svr1.tecadmin.net -file svr1.csr -keystore /etc/pki/keystore
    

    Above command will prompt for keystore password and generate the CSR file. Use this CSR and purchase ssl certificate from any certificate authorities.

    After issued certificate by CA, you will have following files – root certificate, intermediate certificate, and certificate file. In my case the filenames are

    A. root.crt (root certificate)
    B. intermediate.crt (intermediate certificate)
    C. svr1.tecadmin.net.crt ( Issued certificate by CA )

    Install the root certificate:

    keytool -import -alias root -keystore /etc/pki/keystore -trustcacerts -file root.crt
    

    Install the intermediate certificate:

    keytool -import -alias intermed -keystore /etc/pki/keystore -trustcacerts -file intermediate.crt
    

    Install the issued certificate:

    keytool -import -alias svr1.tecadmin.net -keystore /etc/pki/keystore -trustcacerts -file svr1.tecadmin.net.crt
    

    Step 3 – Setup Tomcat Keystore

    Now go to your Tomcat installation directory and edit conf/server.xml file in your favorite editor and update the configuration as below. You may also change the port from 8443to some other port if required.

        <Connector port="8443" protocol="HTTP/1.1"
                    connectionTimeout="20000"
                    redirectPort="8443"
                    SSLEnabled="true"
                    scheme="https"
                    secure="true"
                    sslProtocol="TLS"
                    keystoreFile="/etc/pki/keystore"
                    keystorePass="_password_" />
    

    Step 4 – Restart Tomcat

    Use your init script (if have) to restart tomcat service, In my case i use shell scripts (startup.sh and shutdown.sh) for stopping and starting tomcat.

    ./bin/shutdown.sh
    ./bin/startup.sh
    

    Step 5 – Verify Setup

    As we have done all the required configuration for tomcat setup. lets access tomcat in your browser on the configured port in step 2.

    tomcat-with-ssl

    Note: This article has been tested with Tomcat 7 on CentOS 6.5 using Java 8.

    https keystore keytool SSL tomcat tomcat7 tomcat8
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email WhatsApp

    Related Posts

    How to Open Port in Linux

    Create Let's Encrypt SSL with Certbot

    How to Generate Let’s Encrypt SSL using Certbot

    How to Find Tomcat Version

    How to Check Tomcat Version on Linux

    View 18 Comments

    18 Comments

    1. jitendra on December 9, 2022 12:29 pm

      Hi,

      Can you please help me this step how i come.

      Install the issued certificate:

      Reply
    2. pooja on May 4, 2022 7:16 am

      hello
      i got three certificates from godaddy

      1) number.pem
      2)number.crt
      3)bundle.crt

      can anyone help me to install on centos

      Reply
    3. sudhir bolisetty on October 13, 2021 3:47 pm

      Hi Rahul,
      I have imported CA signed certificate in keystore file and mapped it in server.xml, getting protocol error . please suggest.

      Cmd used to import certificate into keystore:
      /usr/java/jdk1.8.0_301-amd64/jre/bin/keytool -import -alias XXXXXXXXXX -keystore /opt/fis/tomcat-bnbkuatrib-9.0.48/pki_cert/keystore -trustcacerts -file pki_cert
      =============================================================================================


      <!– Security listener. Documentation at /docs/config/listeners.html

      –>


      <!–

      –>


      <!–

      –>

      <!–

      –>


      <!–

      –>

      <!–

      –>

      <!– You should set jvmRoute to support load-balancing via AJP ie :

      –>


      <!–

      –>


      <!–

      –>

      =============================================================================================
      error:
      ——-
      13-Oct-2021 20:28:34.677 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-9940]]
      org.apache.catalina.LifecycleException: Protocol handler initialization failed
      at org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.core.StandardService.initInternal(StandardService.java:561)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1049)
      at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
      at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)
      at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
      at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
      Caused by: java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry
      at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
      at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
      at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:232)
      at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1208)
      at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1221)
      at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
      at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
      at org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
      … 13 more
      Caused by: java.io.IOException: Alias name [null] does not identify a key entry
      at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:349)
      at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
      at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
      … 20 more
      13-Oct-2021 20:28:34.678 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [589] milliseconds

      Reply
    4. Mayank Parekh on July 8, 2021 1:12 am

      Hello Rahul,

      I am getting error message:
      This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
      To enable trust install this certificate in Trusted Root Certificate Authorities store.
      How to find Trusted Root Certificate Authorities store path or location?
      How can I store in correct place

      Reply
    5. Ram Badduri on January 13, 2021 1:59 am

      Hello Rahul,

      Thank you for this tutorial. I tried the steps as above, but my webpage still showing ‘self-signed cert’. Says it is invalid.

      Please help.

      Reply
    6. Tatsuya on January 6, 2021 1:40 am

      Hi Rahul,
      I am Tatsuya from Japan.
      Thanks for your nice article.
      I am trying the steps, but currently stuck.
      My situation is written in the following question
      https://stackoverflow.com/questions/65515892/redirect-http-to-https-using-tomcat-is-not-working/65517729#65517729

      Would you please help me ?

      Reply
    7. neetu on September 22, 2020 10:34 am

      Hi Rahul,

      We have a company provided SSL certificate and need to imolement the same on tomcat.
      I have created a keystore file as
      “keytool -genkey -alias star_comp_co_in -keyalg RSA -keystore C:\SSL\myserver.keystore”

      Cert files received from Client are:
      2021sslcertificate withkey filetype:Personal Information Exchange
      DigiCertCA.crt Security Certificate
      star_comp_co_in Security Certificate
      TrustedRoot.crt Security Certificate

      I am running keytool command as

      for importing TrustedRoot.crt:
      keytool -import -alias root -keystore C:\SSL\myserver -trustcacerts -file C:\Certfiles\TrustedRoot.crt

      Gettings error as

      keytool error: java.io.FileNotFoundException: C\Certfiles\TrustedRoot.crt (The system can not find the file specified).

      I am not able to run any of the import commands suggested here.
      Please help.

      Neetu

      Reply
      • Rahul on September 22, 2020 12:49 pm

        Try the trusted certificate path as: C:\\Certfiles\\TrustedRoot.crt

        Reply
    8. venkat on July 2, 2019 5:26 am

      Hi,

      How to Extending expiration date of trustedCertEntry within a keystore

      Reply
    9. shakti on June 3, 2019 9:31 am

      hello,

      I have some issue .how to get the .key file

      Reply
    10. Manoj on April 1, 2019 2:27 pm

      Thank you Rahul. The article very informative. Could you please also let us know In Step 3 how to use encrypted password for keystorePass.

      Reply
    11. Carlos Daniel Cañón Carrero on September 15, 2018 12:40 am

      Thank you very much…
      It works for me 😀

      Reply
    12. Mohammed Anees on June 28, 2018 6:36 am

      Hi All, From the last screen shot i see RED cross mark on HTTPS ? Why still this is coming ?
      Any ideas ?

      Thanks and Regards,
      Mohammed Anees

      Reply
      • Rahul K. on June 29, 2018 1:52 am

        Hi Anees,

        for this tutorial, I have used self singed ssl certificate. That’s why its shows red cross.

        Reply
    13. sac on June 22, 2018 10:54 am

      Hi Rahul,
      I am trying to enable Https by installing ssl in my centOS 7 tomcat server. I have received ssl certificate from Godaddy but while creating csr I have used “openssl req -new -newkey rsa:2048 -nodes -keyout myperimetrix.key -out myperimetrix.csr Generating a 2048 bit RSA private key” command to generate csr and no idea about how to proceed. your commands looks very easy to me to install, so trying to follow you. Now should i need to regenerate csr to install ssl? is it possible to run all these commands outside root as i don’t want to disturb my server?

      Reply
      • Rahul K. on June 25, 2018 7:14 am

        Hi Sachin,

        As you wrote, you already get an certificate from Godaddy. So you must have CSR and Private key used to issue certificate from Godaddy. You can use the same for installing on your Tomcat.

        In case you lost the Private key and CSR. You need generate a new Private and CSR on your system and then ReKey your certificate on Godaddy.

        Reply
    14. arun on October 4, 2017 11:31 am

      good one.thankss

      Reply
    15. Jonathan on June 22, 2014 3:30 am

      Thank you very much for this tutorial. I want to configure my tomcat instance in order to get only SSL access to my webapps, so I’m following your instructions, however I can’t be able to connect trought 8443 or https port/protocol, only the regular 8080 it’s active. I want to use a SelfSigned certificate in order to see if SSL work and then buy a trusted certificate but in your instructions I can see that you import the trusted certificate, is not necessary to create the SelfSigned certificate and import it as well? Thanks in advance for your support to this noob.

      Reply

    Leave A Reply Cancel Reply

    Advertisement
    Recent Posts
    • Error: EACCES: permission denied, scandir (Resolved)
    • How To Install Python 3.11 on Ubuntu 22.04 / 20.04
    • How to Install Python 3.11 on Amazon Linux 2
    • An Introduction to the “./configure” Command: Compiling Source Code in Linux
    • How to Install PHP 8.x on Pop!_OS
    Facebook Twitter Instagram Pinterest
    © 2023 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.