SSL certificate encrypts data transmission between the client and server. This tutorial will guide you to secure the Tomcat server with an SSL certificate. Tomcat uses the Java KeyStore (JKS) format to manage SSL certificates, requiring proper configuration to enable HTTPS port.
Prerequisites
- Configure and install Tomcat on your server.
- Data inputs to install the SSL certificates are:
| Item | Description |
| Server IP address | Server’s IP address, which is used to connect the PC to the server. |
| Username | The username used to log in to the server. |
| Password | The password used to log in to the server. |
Steps to Follow
Certificate Installation
- Login to your SSL Certificate Service Console and Download the certificate to install.
- Add the privkey.pem to the JKS. Also, you need to have an SSL certificate and CA-bundle as well.
- Using OpenSSL, you can create a PKCS12 keystore containing the certificate and private key as follows (privkey.pem does not need a password):
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -out cert_and_key.p12 -name tomcat -CAfile chain.pem -caname root- Then convert the output PKCS key into JKS.
keytool -importkeystore -deststorepass <changeit> -destkeypass <changeit> -destkeystore MyDSKeyStore.jks -srckeystore cert_and_key.p12 -srcstoretype PKCS12 -srcstorepass <thePasswordUsedInTheCommandAbove> -alias tomcat- Add chain.pem after above step.
keytool -import -trustcacerts -alias root -file chain.pem -keystore MyDSKeyStore.jks- The JKS output is now usable in a Tomcat Connector configuration.
- Edit the server.xml file in the conf directory by adding the following:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
# Path of the certificate
keystoreFile="Tomcat installation directory/conf/MyDSKeyStore.jks "
# Keystore password
keystorePass="******"
clientAuth="false"/>- Next, restart the Tomcat installation process after updating configurations.
- It allows you to use Let’s Encrypt certificate with Tomcat.
- The main parameters of the configuration file are described below:
– keystoreFile: Location of the keystore file. You can specify an absolute path or a path relative to the environment variable (Tomcat installation directory). If this parameter is not set, Tomcat will read a file named “.keystore” from the home directory of the current operating system user.
– keystorePass: Keystore password. If you set a private key password during the certificate application, enter the private key password. Otherwise, enter the password in the keystorePass.txt file in the Tomcat folder.
– clientAuth: If set to true, Tomcat will require all SSL clients to provide a security certificate for identity verification.
- Finally, you have to check whether the Tomcat server is started or not.
- Using the following .bat scripts in sequence, you can restart and shut down the Tomcat server if it is already running:
shutdown.bat (Shut down the Tomcat server)
startup.bat (Start the Tomcat server)Following this tutorial, you have successfully installed an SSL certificate in JKS format on your Tomcat server, enabling secure HTTPS communication. Proper SSL configuration protects sensitive data and improves trust and compliance with security best practices. If you encounter any issues, check the Tomcat logs for errors and verify your keystore and configuration settings. With SSL in place, your Tomcat server is now more secure and ready to handle encrypted connections.
