Sometimes we may need to implement an SSL certificate in tomcat for Java projects. Implementing SSL in tomcat is somehow different from implementing in web servers like Nginx, Apache. 

Tomcat uses a Java KeyStore (JKS) repository to hold all of the security certificates and their corresponding private keys. This requires the use of the keytool utility that comes with the Java Development Kit (JDK) or the Java Runtime Environment (JRE).

Here at Ibmi Media, as part of our Server Management Services, we regularly help our Customers to perform related SSL Certificate configuration queries on Linux systems.

In this context, we shall look into how to install the SSL certificate on tomcat.

Steps to Install an SSL Certificate in Tomcat:

1. Create a Keystore

Java provides JKS also know as Java KeyStore as a security certificates repository. Both JDK and JRE provide command-line utility tool keytool for creating and managing Keystore. Run the following command to create a KeyStore:

$ keytool -genkey -alias tomcat.linuxapt.com -keyalg RSA -keystore /etc/pki/keystore

2. Create CSR

If you are going to install a self-signed certificate, you can avoid this step. If you want to install purchased SSL certificates, then you need to create a CSR file with the below command:

$ keytool -certreq -keyalg RSA -alias tomcat.linuxapt.com -file tomcat.csr -keystore /etc/pki/keystore

You will get a prompt to supply a Keystore password. Once the password is submitted, a CSR file will be generated. Use this CSR file to purchase a CA-signed SSL certificate.

3. Get CA signed SSL certificate

Once the certificate is issued by CA, you will have the following files. A domain (tomcat.linuxapt.com) is taken for example:

• tomcat.linuxapt.com (CA issued certificate).
• root.crt (Root certificates).
• intermediate.crt (Intermediate certificates).

i. Install the certificate

Import the CA-signed certificate using the following command:

$ keytool -import -alias tomcat.linuxapt.com -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/tomcat.linuxapt.com.crt

Where path-to-certificate is the certificate directory and tomcat.linuxapt.com.crt is the CA-signed SSL certificate.

ii. Install root certificate

Import root certificate using the following command:

$ keytool -import -alias root -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/root.crt

Where root.crt is the root certificate file.

iii. Install intermediate certificate

Run the following command to import intermediate certificate files:

$ keytool -import -alias intermediateca -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/intermediateca.crt

Where intermediateca.crt is the intermediate certificate file.

How to Change tomcat configuration ?

After importing all the required certificates, now it’s time to configure tomcat Keystore. Go to the tomcat installation folder and find the server.xml file. Update the configuration file with the following contents.

$ vi tomcat-installation-directory/config/server.xml

Example:

$ vi /opt/tomcat/config/server.xml
<Connector port="4443" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="4443"
SSLEnabled="true"
scheme="https"
secure="true"
sslProtocol="TLS"
keystoreFile="/etc/pki/keystore"
keystorePass="_password_" />

Here, port 4443 is being used. You can select any ports depending upon your environment.

How to restart the tomcat ?

Certificates installation has been completed. Restart the tomcat server to reflect the changes with the below commands:

$ path-to-tomcat/bin/shutdown.sh
$ path-to-tomcat/bin/startup.sh

Example,

$ /opt/tomcat/bin/shutdown.sh
$ /opt/tomcat/bin/startup.sh

How to Verify the certificate ?

Now access the tomcat server URL using any browser to verify the certificates:

https://tomcat-server:<Port>

Example,

https://tomcat.linuxapt.com:4443

[Need assistance in configuring SSL Certificates on your Server and Website ? We can help you. ]