Setup SSL Certificate On Tomcat
How To Setup Existing SSL Certificate On Tomcat Server
You must have following file:
- gd_bundle-g2-g1.crt (intermediate certificate)
- myorg.com.crt (Certificate)
- myorg.key (private key)
Required Tool:
- keytook
- openssl
Steps/Commands to integrate existing SSL certificate on Tomcat server:
- Import the intermediate certificate. Below command will generate an empty keystore “my.keystore”
keytool -import -trustcacerts -file /path/to/gd_bundle-g2-g1.crt -keystore /path/to/my.keystore
- Import your certificate signed by CA by typing the following command: (Replace myorg.com.crt with the file name and location of your certificate)
keytool -import -alias sf -keystore /path/to/my.keystore -trustcacerts -file /path/to/myorg.com.crt
Make sure to use alias(or different alias) as the previous command will already create a default alias and this command will try to make the same default alias - Export your key, certificate and ca-certificate into a PKCS12 bundle via:
openssl pkcs12 -export -name servercert -in /path/to/gd_bundle-g2-g1.crt -inkey /path/to/myorg.key -out /path/to/myp12keystore.12
- Import the PKCS12 file into the keystore my.keystore via:
keytool -importkeystore -deststorepass your_password -destkeystore /path/to/my.keystore -srckeystore /path/to/myp12keystore.12 -srcstoretype PKCS12 -srcstorepass your_password
Replace your_password with the real password - Now change /opt/tomcat/config/server.xml file to make use of these certificate.
Replace the “connector” part for port 80 and 443 with the one below and restart tomcat.
Note: The below will make a strict HTTPS as we are redirecting request from port 80 to port 443
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
enableLookups="false"
redirectPort="443"/>
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/my.keystore"
keystorePass="your_password" />