Setup SSL Certificate On Tomcat

How To Setup Existing SSL Certificate On Tomcat Server

In this post we will setup SSL certificate on Tomcat server. We assume that you already have certificate issued by some Certificate Authority like godaddy, digicert etc. and if you haven’t purchased one then you can have Self signed certificate. Here is how to create a Self signed certificate.

You must have following file:

  • gd_bundle-g2-g1.crt (intermediate certificate)
  • myorg.com.crt (Certificate)
  • myorg.key (private key)

Required Tool:

  • keytook
  • openssl

Steps/Commands to integrate existing SSL certificate on Tomcat server:

  • Import the intermediate certificate. Below command will generate an empty keystore “my.keystore”

    keytool -import -trustcacerts -file /path/to/gd_bundle-g2-g1.crt -keystore /path/to/my.keystore

  • Import your certificate signed by CA by typing the following command: (Replace myorg.com.crt with the file name and location of your certificate)

    keytool -import -alias sf -keystore /path/to/my.keystore -trustcacerts -file /path/to/myorg.com.crt
    Make sure to use alias(or different alias) as the previous command will already create a default alias and this command will try to make the same default alias

  • Export your key, certificate and ca-certificate into a PKCS12 bundle via:

    openssl pkcs12 -export -name servercert -in /path/to/gd_bundle-g2-g1.crt -inkey /path/to/myorg.key -out /path/to/myp12keystore.12

  • Import the PKCS12 file into the keystore my.keystore via:

    keytool -importkeystore -deststorepass your_password -destkeystore /path/to/my.keystore -srckeystore /path/to/myp12keystore.12 -srcstoretype PKCS12 -srcstorepass your_password
    Replace your_password with the real password

  • Now change /opt/tomcat/config/server.xml file to make use of these certificate.
    Replace the “connector” part for port 80 and 443 with the one below and restart tomcat.
    Note: The below will make a strict HTTPS as we are redirecting request from port 80 to port 443

<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
enableLookups="false"
redirectPort="443"/>

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="/path/to/my.keystore"
keystorePass="your_password" />

Leave a Reply

Your email address will not be published. Required fields are marked *