How to Install an SSL certificate in Tomcat Servers?

A Complete Guide to Install SSL certificate in Tomcat Server.

Tomcat also knew as Apache tomcat is a well-renowned name in the network category. Its popularity lies in being an open source web server by Apache Software Foundation. It basically supports Java-based applications (Java server pages (JSP) and Java servlets) by being a pure Java HTTP web server.

install ssl in tomcat server

You should follow instructions to installing SSL certificate in Tomcat.

Generating Certificate Signing Request (CSR):

Before obtaining a Certificate from SSL2BUY, you need to create a CSR. With the help of this CSR, the CA will issue the certificate identifying your website as secured. Below are the steps given to creating a CSR:

cheapest ssl certificate

Local certificate creation:

keytool -genkey -alias tomcat -keyalg RSA -keystore <your_keystore_filename>

Note: In the few cases, you will have added the domain of your website (for e.g. www.yoursite.org) in the “first-and lastname” fields for creating a working certificate.

Now, for creating the CSR, type the following command:

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>

Now you have a file named certreq.csr that you can present to the Certificate Authority.

CA certification installation using X.509 format

  • Select proper primary and secondary intermediate certificate.
  • Copy-paste the contents of primary and secondary intermediate certificate in two separate text files, of course. Make sure that there are no white spaces, line breaks and extra lines in the file.
  • Name the primary intermediate certificate text file as primary-inter.cer
  • To import the above certificate into the keystore uses the following command
    keytool -import -trustcacerts -alias primaryIntermediate -keystore your_keystore_filename -file primary_inter.cer
    

    For example:

    tomcat ssl

 

  • Name the secondary intermediate certificate text file as secondary_inter.cer.
  • In order to import the certificate, use the following command into the keystore.
    keytool -import -trustcacerts -alias secondaryIntermediate -keystore your_keystore_filename -file secondary_inter.cer

    For example:

    tomcat ssl secondary intermediate

Install SSL certificate

You have to download or copy-paste the certificate which you have received through e-mail. For the certificate which is emailed as an attachment, download and use it as it is. For the certificate which is forwarded as in text format; copy and paste it into a text file.

Please do not use Microsoft Word for this purpose as it will enumerate extra characters. Also, make sure that there are no white spaces or extra lines in the file.

It will look something like this:

-----BEGIN CERTIFICATE-----
[encoded data]
-----END CERTIFICATE-----

The five dashes after and before “Begin Certificate” & “End Certificate” are compulsory.  There should be no white spaces, line breaks, and additional certificates.

Type the command to import the SSL certificate as given below:

Keytool -import -trustcacerts -alias your_alias_name -keystore your_keystore_filename -file your_certificate_filename

For example,

tomcat ssl alias name

Note: The alias name should not be different from that mentioned during the generation of the private key and CSR.

Verify the contents of the Certificate

To list the contents of the keystore please type the following command:

keytool -list -v -keystore  your_keystore_filename >output_filename

For example

tomcat ssl output

You will be able to view the content of the output in the following manner:

tomcat ssl output content

The SSL certificate should be imported under the alias “Entry Type” of PrivateKeyEntry or KeyEntry, if it is not so then please import it into the Private Key alias.

To enable SSL configuration your server.xml file

  • Open the server.xml config file in the text editor.
  • Search for the secure element in your config file (try searching for SSL Connector). By default, it should look something like this:
    <-- SSL Connector on Port 8443 -->
    
    <!--
    <Connector
    className="org.apache.coyote.tomcat4.CoyoteConnector"
    port="8443" minProcessors="5"
    maxProcessors="75"
    enableLookups="false"
    acceptCount="10"
    connectionTimeout="60000" debug="0"
    scheme="https" secure="true">
    <Factory
    className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
    clientAuth="false" protocol="TLS"
    keystoreFile="insert path to the keystore here">
    keystorePass="insert keystore password here">
    </Connector>
    -->
    
  • Make sure the “keystoreFile” directive is citing the correct keystore and the “keystorePass” directive is addressing the correct keystore password.
    NOTE: These directives are case-sensitive! Make sure the letters “F” and “P” in “keystoreFile” and “keystorePass” are in upper case.
  • If your keystore contains more than one private key alias, please add the “keyAlias” directive to reference the correct private key alias name.
    For Example:
    keystoreFile=”insert path to the keystore here”
    keystorePass=”insert keystore password here”
    keyAlias=”insert private key alias here”/>
  • Save the changes.
  • Stop and Restart Tomcat

In order to verify the contents of the certificate, use the installation checker.

For further information, please refer to the Tomcat Web site.

About the Author

Nikita Gupta

Nikita Gupta is a seasoned professional with a master's degree in Computer Applications. She brings over 10 years of profound experience to the realm of technology. Her exceptional expertise spans software security, data security, and mastery in SSL/TLS. When it comes to cutting-edge solutions for securing digital assets, Nikita is a dedicated pro.

Trusted by Millions

SSL2BUY delivers highly trusted security products from globally reputed top 5 Certificate Authorities. The digital certificates available in our store are trusted by millions – eCommerce, Enterprise, Government, Inc. 500, and more.
PayPal
Verizon
2Checkout
Lenovo
Forbes
Walmart
Dribbble
cPanel
Toyota
Pearson
The Guardian
SpaceX