How to Install SSL Certificate on Tomcat?

Guide for SSL Certificate Installation on Tomcat Web Server

Tomcat, often known as Apache Tomcat, is a well-known network name. Its popularity stems from the fact that it is an open-source web server developed by the Apache Software Foundation. Being a pure Java HTTP web server, it primarily supports Java-based applications (Java servlets and Java server pages [JSP]).

This quick guide will walk you through the essentials of proper Tomcat SSL configuration steps. You will learn how to configure SSL on Tomcat and how to enable SSL on Tomcat. So, let’s first start with generating a CSR for Tomcat.

How to Generate a CSR code for Tomcat

To install SSL certificate on Tomcat, we first need to generate your website’s CSR code (Certificate Signing Request). It is a block of text that includes up-to-date information about your domain ownership and business.

The CSR is a requirement for all purchasers of commercial SSL certificates to pass SSL validation and receive the Certificate. A trusted Certificate Authority (CA) will issue the certificate designating your website as secure using this CSR.

Local certificate creation

keytool -genkey -alias tomcat -keyalg RSA -keystore <your_keystore_filename>

Tip: In a few instances, you must fill out the “first-and-last name” boxes with your website’s domain (for example, www.yoursite.org) to create a valid certificate.

Now, enter the following command to create the CSR:

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>

You can now present your Certificate Authority with a CSR file named certreq.csr.

A Step-by-Step Guide to Install an SSL Certificate on Tomcat Server

Choose the appropriate intermediate and primary certificates. You should copy and paste the primary and secondary intermediate certificates’ contents into two different text files. Verify the file is free of blank spaces, line breaks, and additional lines.

• Name the text file for the primary intermediate certificate e.g. primary-inter.cer.
• Use the following keystore Tomcat commands to import the above certificate into the Keystore.

keytool -import -trustcacerts -alias primaryIntermediate -keystore your_keystore_filename -file primary_inter.cer

• The text file for the second intermediate certificate should have the extension “.cer.”
• Use the following command in the Keystore to import the certificate.

keytool -import -trustcacerts -alias secondaryIntermediate -keystore your_keystore_filename -file secondary_inter.cer

Install the SSL certificate using Different Format

Certificate Authority may issue your SSL files in PEM or PKCS#7 format (.p7b or.cer extensions). (.crt extension). Decide on your files’ format, then follow the guidelines below:

CA certification installation using PKCS#7 format Certificate

Run the following command to add it to the keystore, as it already has the essential root and intermediate certificates:

keytool -import -trustcacerts -alias CompanyName -keystore example.jks -file example.p7b

Substitute your alias and file names for your CompanyName and example.

Now if you’ve imported the certificate successfully, you will see the message “Certificate reply was installed in keystore.” To verify the information on your certificate, use the command line:

keytool -list -keystore example.jks –v

CA certification installation using PEM Format Certificate:

Each required certificate file must be imported independently and in the proper sequence. Run the following commands for each type of certificate:

• Root Certificate:

keytool -import -alias root -keystore example.jks -trustcacerts -file root.crt

• Intermediate Certificate:

keytool -import -alias intermediate -keystore example.jks -trustcacerts -file intermediate.crt

If your certificate contains many intermediate certificates, import them all into the keystore. For proper installation, you need to stick with the correct order. As an example of the order, we have given the order for Sectigo-Positive SSL Certificate.:

• The certificate that the root has signed (e.g. crt)
• The diploma for intermediate (e.g. crt)

Primary Certificate:

keytool -import -alias CompanyName-keystore example.jks -file example.crt

How to Configure your server.xml file to allow SSL.

• Editing the Tomcat configuration file comes after the import. By default, it is located in the Home_Directory/conf folder and is called server.xml.
• You need to find the configuration file. Several lines of code resembling the example below should be visible:

<Connector port="443" protocol="HTTP/1.1"

SSLEnabled="true"

scheme="https" secure="true" clientAuth="false"

sslProtocol="TLS" keystoreFile="/your_path/yourkeystore.jks"

keystorePass="password_for_your_key_store" />

• Enter the directory of your keystoreFile as the value for the keystoreFile option. Enter your keystore password in the keystorePass attribute.

For the tip to note, if keystoreFile and keystorePass lines are missing, you must add them manually. As given below, you should also uncomment the connector tag by removing (<! and>), respectively.

• You should specify a valid Tomcat keystore file, and keystore password in the “keystoreFile” and “keystorePass” directives, respectively.

• Also, keep in mind that it is case sensitive; thus, you should make sure that “keystoreFile” and “keystorePass” begin with capital letters for the “F” and “P,” respectively.

• Please include the “keyAlias” directive to refer to the appropriate private key alias name if your keystore has several private vital aliases.

For instance:

keystoreFile=”insert path to the keystore here”

keystorePass=”insert keystore password here”

keyAlias=”insert private key alias here”/>

• Save changes and restart the Tomcat server.

Check Your Tomcat SSL Setup

Several undetected issues could enter after you install an SSL certificate on Tomcat and compromise the effectiveness of your certificate. Regularly verifying your SSL installation should become a habit. Choose our sophisticated SSL Checker tool to receive immediate scans and reports

Where to Buy SSL Certificate for Tomcat

There are several Certificate Authorities that offer an SSL certificate for Tomcat. They have an extensive selection of SSL certificates at attractive prices. If you feel confused, then the SSLWiki.org team can help you with finding the best SSL for Tomcat.

We have built good connections over the years with prominent SSL CAs so that you can get high-quality SSL certificates for your website.

Frequently Asked Questions

1. What does a Tomcat keystore do?

In Tomcat, a keystore is a file that holds private keys and SSL certificates. Secure connections are made using it via the internet. The SSL certificates used by Tomcat for SSL/TLS encryption are stored in the keystore.

2. How do I update Tomcat’s SSL certificate?

You must obtain a new SSL certificate from your Certificate Authority (CA) and install it on your Tomcat server to renew your SSL certificate. Upgrading the keystore and server.xml files allows you to set up Tomcat to use the new SSL certificate.

To maintain continuous SSL/TLS encryption, renewing your SSL certificate before it expires is critical. After the expiration of an old certificate, you can use the above Tomcat SSL configuration steps to change it to a new one.

3. What does Tomcat’s truststore mean?

A file containing SSL certificates from reputable Certificate Authorities is called a truststore in Tomcat (CAs). When communicating over SSL/TLS, Tomcat uses the truststore to check the SSL certificates that other servers have presented.

Tomcat, by default, uses the cacerts file, which contains SSL certificates from well-known CAs, as its truststore.

4. What exactly is a self-signed SSL certificate?

Most web browsers do not recognize self-issued SSL certificates, which can cause users to encounter security alerts when visiting websites that use them. It is in contrast to certifications certified by trusted CAs. Self-signed SSL certificates are frequently employed for development and testing.