Knowledge Base

How To Install an SSL Certificate on a Tomcat Web Server

This article will walk you through installing an SSL Certificate on your Tomcat Web Server. You will first need to make sure that you have the SSL Certificate that we sent to your email. The instructions here use the keytool to install your certificate.

Make sure you have created a CSR before installing your certificate.

Just follow these steps (please make sure to specify an alias if you created one during the generation of your CSR):

  1. Import your Root Certificate using the following command:
     -> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt 
    -keystore domain.keystore
  2. Import your Intermediate or Intermediates using the following command:
    -> keytool -import -trustcacerts -alias intermediate_filename -file intermediate_filename.crt 
    -keystore domain.keystore

    NOTE: You may have multiple intermediate certificates, depending on the type of certificate you are installing. Install them in numerical order.

  3. Import the certificate for the domain/entity with the following command:
    -> keytool -import -trustcacerts -alias mykey -file yoursitename.crt -keystore domain.keystore

You should see a success message that reads: Certificate reply was installed in keystore if everything was entered correctly.

Now, you need to configure your server to use it by configuring an SSL Connector. Please do this before restarting your server.


How To Configure an SSL Connector With server.xml

Configuring this connector is a necessary prerequisite to making secure connections. There are two ways to configure this file - using server.xml, or using the admintool.

First, we will show you how to do it using server.xml.

  1. First, you will need to copy the keystore file to the home directory. In most cases, this is /etc/tomcat5.5 in Unix or Linux and C:\Program Files\Apache Software Foundation\Tomcat 5.5\ in Windows, although this may differ on your machine.

    NOTE: The server.xml file can usually be found in the conf folder of your Tomcat's home directory.

  2. Now you'll need to find the connector that you want to secure using this new key. Usually it is on port 443 or 8443.
  3. Sometimes the connector is commented out - in this case, uncomment the necessary connector by deleting the comment tags < !-- and -->.
  4. The keystore filename and password then need to be specified. When you have completed this step, your connector configuration ought to read according to this model:
    < Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
    maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100"
    scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
    keyAlias="server" keystoreFile="/home/your_user_name/your_website_name.jks"
    keystorePass="keystore_password" />

    NOTE: If your Tomcat version is earlier than version 7, you will need to change the command from "keystorePass" to "keypass".

  5. Save your server.xml file with the preceding changes.
  6. Restart your Tomcat server.

How To Configure an SSL Connector Using the admintool

These are the steps you need to follow to configure an SSL connector using the admintool:

  1. Boot up Tomcat.
  2. In a browser window, enter http://localhost:8080/admin. This will start up the admintool.
  3. Enter the admin username and password.
  4. On the left part of the screen you will see "Service". Select it.
  5. There will be a drop-down list on the right part of the screen. From it, select Create New Connector.
  6. Find the Type field. There, select HTTPS.
  7. Find the Port field. There, enter 443.
  8. If you left your default values as they were, the Keystore Name and Keystore Password can be left blank. If you named your keystore something other than .keystore and the directory is not in the home directory of the server that is running Tomcat, then these fields have to be filled in with the necessary information.
  9. Hit Save.
  10. Hit Commit Changes to make sure that the information is available the next time you start your server.

Congratulations, you're done. You should be able to make TLS-secured connections on your Tomcat server.

Did you find this article helpful?

* Your feedback is too short