Tomcat SSL Certificate Installation

May 25, 2018 in WebServer

If you have not yet created a Certificate Signing Request (CSR) and ordered your certificate, see SSL Certificate CSR Creation

  1. To install the SSL Certificate file to your keystore, type the following command:

    keytool -import -trustcacerts -alias server -file your_site_name.p7b -keystore your_site_name.jks

  2. You should get a confirmation stating that the 'Certificate reply was installed in keystore.'

  3. If asked if you want to trust the certificate, choose y or yes.

  4. Your keystore file (your_site_name.jks) is now ready to be used on your Tomcat Server. Now, you need to configure your server to use it.

You must install the SSL Certificate file to the same keystore and under the same alias name (i.e. 'server') that you used to generate your CSR. If you try to install it to a different keystore, the install command in the next step will not work.

Configuring your SSL Connector
Before Tomcat can accept secure connections, you need to configure an SSL Connector.

  1. In a text editor, open the Tomcat server.xml file.

    The server.xml file is usually located in the conf folder of your Tomcat's home directory.

  2. Locate the connector that you want to use the new keystore to secure.

    Usually, a connector with port 443 or 8443 is used, as shown in step 4.

  3. If necessary, uncomment the connector.

    To uncomment a connector, remove the comment tags (<!-- and -->).

  4. Specify the correct keystore filename and password in your connector configuration.

    When you are done, your connector should look something like this:

    <Connector port='443' maxHttpHeaderSize='8192' maxThreads='150' minSpareThreads='25' maxSpareThreads='75' enableLookups='false' disableUploadTimeout='true' acceptCount='100' scheme='https' secure='true' SSLEnabled='true' clientAuth='false' sslProtocol='TLS' keyAlias='server' keystoreFile='/home/user_name/your_site_name.jks' keystorePass='your_keystore_password' />

    Note: If you are using a version of Tomcat prior to Tomcat 7, you need to change 'keystorePass' to 'keypass'.

  5. Save your changes to the server.xml file.

  6. Restart Tomcat.