How to Install an SSL Certificate on Apache Tomcat Server

1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)

Here are step-by-step instructions to install an SSL certificate on Tomcat server

Released 19 years ago, Apache Tomcat server is one of the most popular choices when it comes to open-source servers. Among all Java application servers, Tomcat occupies a staggering 63.9% of the market share. But we’re not here to sing the praises of Tomcat, are we? So, let’s get to the SSL certificate installation process in Tomcat without wasting much time.

Before you begin…

You must make sure that the certificate files that you received from your certificate provider are stored in the same server directory as the keystore you created at the time of CSR generation.

If you’ve taken care of this requirement, you’re good to go.

Here’s how to install SSL in Tomcat

Step 1: Root Certificate Installation

First and foremost, you’ll need to install your root certificate file on your server. You’ll need to install the following command to do it:

keytool -import -trustcacerts -alias root -file RootCertFileName.crt -keystore keystore.key

Now, you’ll receive a message that says “Certificate already exists in system-wide CA keystore under alias <…> Do you still want to add it to your own keystore? [no]:”. Choose Yes. If the installation was successful, a “Certificate was added to keystore” message will be displayed on your screen.

Step 2: Intermediate Certificate Installation

Depending on your CA, you may or may not need to do this step. That’s because not every CA provides an intermediate certificate. You only need to install an intermediate certificate if you have received one. Run the following command to do so:

keytool -import -trustcacerts -alias intermediate -file IntermediateCertFileName.crt -keystore keystore.key

A “Certificate was added to keystore” message will be displayed if this went well.

Step 3: Primary Certificate Installation

Type in the following command to install the primary certificate:

keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore keystore.key

Once done successfully, you should see a “Certificate reply was installed in keystore” message on your screen.

Step 4: SSL Connector Configuration

Once all these steps are done successfully, you’ll need to configure your SSL connector. Without this, an SSL/TLS connection cannot be established. So, keep a close eye on this part.

The things you’ll need to do are to change the file location and password.

  • First, copy your keystore file to the home directory

Note: On Unix and Linux systems, the home directory would be /home/user_name/ while it would be Settings\user_name\ on Microsoft Windows systems.

  • Open ${CATALINA_HOME}/conf/server.xml file in a text editor (e.g. Notepad)
  • You’ll need to uncomment the SSL Connector Configuration
  • Verify that the Connector Port is 443. If not, change it to 443.
  • Finally, check whether the keystorePass matches with the keystore password. Also confirm if the keystoreFile consists of the file and pathname of the keystore.

All done? The connector will look like:

<Connector className=”org.apache.catalina.connector.http.HttpConnector” port=”8443″ minProcessors=”5″ maxProcessors=”75″ enableLookups=”true” acceptCount=”10″ debug=”0″ scheme=”https” secure=”true”>

<Factory className=”” clientAuth=”false” protocol=”TLS” keystoreFile=”/working/mykeystore” keystorePass=”password”/>

  • Save the changes to server.xml file
  • Restart your Tomcat server

If everything went smoothly, your Tomcat server should now have an SSL/TLS certificate as your gatekeeper.


Leave a Reply

Your email address will not be published. Required fields are marked *