How to Implement SSL/TLS in Apache Tomcat

Apache Tomcat is a powerful Java-based web server used to run Java Server Pages (JSP) and applications. If you use Tomcat, there is a good chance you work with sensitive data. In this article, we will look at how to implement SSL/TLS in Apache Tomcat. You can follow these steps to secure your website and application data against malicious attackers.


How to Implement SSL/TLS in Apache Tomcat

Here are the steps to implement SSL/TLS in Apache Tomcat. If you have not installed Tomcat on your system, refer to our step by step guide to install Tomcat.


1. Create a Keystore

First, we will create a keystore file that stores all the keys required for SSL/TLS implementation. It can be created in two ways – either you can create a new keystore using keytool utility, or you can copy your existing keys to the keystore.

For our example, we will create a new keystore using keytool application that ships with JAVA.

Run the following command to create keystore. Replace tomcat and \path\to\keystore below with the alias and keystore location of your choice.

"%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA -keystore \path\to\keystore

You will see a series of prompts asking for details such as password, organization name, etc. Make sure you enter a strong password that is not easy to guess and is a combination of numbers, alphabets & special characters. We have used strong_password for our example. Also ensure that you enter your website domain name for first and last name. After all, we want to secure a website (not an individual) with the SSL certificate.

Enter keystore password:strong_password
Re-enter new password:strong_password
What is your first and last name?
[Unknown]: yourdomain.com
What is the name of your organizational unit?
[Unknown]: Blogging
What is the name of your organization?
[Unknown]: Blog
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=yourdomain.com, OU=Blogging, O=Blog, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for <yourdomain>
(RETURN if same as keystore password):

This will create .keystore file in your home directory. It is located at:

  • Windows: C:\Documents and settings\[username]
  • Mac: /users/ [username]
  • Linux¬†: /home/ [username]

Also read : How to Import JSON Data in Python


2. Create CSR

Next, you need to create certificate signing request (CSR) used by certificate authority (CA) to generate SSL/TLS certificates.

Java keytool can also help you generate CSR files. Just run the following command.

$JAVA_HOME/bin/keytool -certreq -keylag RSA -alias -file.csr -keystroke [path/to/keystore]

A CSR file named file.csr will be generated. Submit it to your CA (like RapidSSL, Comodo, Norton, etc) to obtain your SSL certificate bundle.

Also read : How to Install Laravel with NGINX


3. Install SSL Certificate

Download your Root certificate from CA, along with your site’s intermediate certificate (if any) and the domain certificate. Save them to keystore.

Here is the command to import root certificate to keystore. Replace [path/to/keystore] with the path to your keystore. Similarly, replace [path/to/root_certificate] with the path to your root certificate.

"%JAVA_HOME%\bin\keytool" -import -alias root -keystore [path/to/keystore] -trustcacerts -file [path/to/root_certificate]

Here is the command to import intermediate certificate to keystore. If your CA does not offer any intermediate certificate you can skip this step. If they offer multiple intermediate certificates, you need to import them all.

"%JAVA_HOME%\bin\keytool" -import -alias intermediate -keystore [path/to/keystore] -file [path/to/intermediate_certificate]

Here is the command to import domain certificate to keystore

"%JAVA_HOME%\bin\keytool" -import -keystore [path/to/keystore] -file [path/to/domain_certificate]

Also read : How to Check Cron Log in Linux


4. Configure Tomcat to Use SSL Certificate

Go to Tomcat Installation directory. Open server.xml file using a text editor.

$ sudo vi /conf/server.xml

Look for the line <!– <Connector port=”8443″… /> –>

Uncomment this block by removing <!– and –>. We are enabling a connector to listen to port 8443, the default HTTPS port for Tomcat.

Tomcat supports two types of configuration JSSE and APR (Apache Portable Runtime). JSSE is the default one. In case you want to use default configuration, just update the Connector block with the following code. Replace KeystorePassword and path/to/keystore with keystore password (created in step 1) and the path to keystore respectively.

<connector port="8443" maxthreads="150" scheme="https" secure="true"
SSLEnabled="true" keystoreFile="path/to/keystore"
keystorePass="KeystorePassword" ClientAuth="false" keyAlias="yourAlias"
sslProtocol="TLS"/>

Also read : How to Install CouchDB in Ubuntu

If you want to use APR configuration, then use the following Connector block.

<connector port="8443" scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile+'/path/to/certificate.crt"
SSLCertificateKeyFile="/path/to/keyfile"
SSLPassword="KeystorePassword"
SSLCertificateChainFile="path/to/your/root/certificate" KeyaAlias="yourAlias"
SSLProtocoal="TLSv1"/>

The key difference between configurations for JSSE and APR is that SSLCertificateFile and SSLCertificateKeyFile replace keystoreFile attribute.

Restart Tomcat Server to apply changes.

Open browser and go to https://localhost:8443 or https://localhost

That’s it. You will be able to view your website via https URLs.

Also Read : How to Set UTF-8 Encoding in Tomcat