- Basic Configuration Example. Your SSL configuration will need to contain, at minimum, the following directives. LoadModule sslmodule modules/modssl.so Listen 443 ServerName www.example.com SSLEngine on SSLCertificateFile '/path/to/www.example.com.cert' SSLCertificateKeyFile '/path/to/www.example.com.key'.
- Tomcat uses Java Keystores but certbot creates pem files. Cerbot needs graceful reloads, tomcat doesn't go well with that. There are many benefits of using Apache in front of tomcat. This leaves tomcat from the burden of managing SSL and proxy.
Install LetsEncrypt Certbot Certificate with Apache Server and reverse proxy on tomcat server
Here are step-by-step instructions to Install SSL Certificate on Apache Tomcat server. Released 19 years ago, Apache Tomcat server is one of the most popular choices when it comes to open-source servers. Among all Java application servers, Tomcat occupies a staggering 63.9% of the market share. The Apache Tomcat ® software is an open source implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations and Jakarta Authentication specifications. These specifications are part of the Jakarta EE platform. The Jakarta EE platform is the evolution of the Java EE platform. Tomcat 10 and later implement specifications.
We assume the following is performed before proceeding.
- Linux server installed
- Apache Tomcat running on port 8080 on the same machine.
- Domain has been attached to this server (e.g. api.example.com)
If the server is pointing to
example.com, a virtual host for
api.example.com is required to be setup before we can proceed with this tutorial.
Considering you have a web app running on tomcat. Please check if the following is accessible and working.
Why not use certbot on Tomcat
- Tomcat usually doesn’t bind to port 80
- Cerbot certificate renewal may be challenging with tomcat.
- Tomcat uses Java Keystores but certbot creates pem files.
- Cerbot needs graceful reloads, tomcat doesn't go well with that.
There are many benefits of using Apache in front of tomcat. This leaves tomcat from the burden of managing SSL and proxy.
Install Apache Server
Apache Server is installed on default port 80.This should open the default apache page.http://api.example.com/
Let's Encrypt SSL on Apache
Let's encrypt lets you install free SSL certificate which can be renewed. In this article, we are going to install let's encrypt on apache and forward the requests to tomcat.
If you have already installed cerbot and gettign the following error
Upgrade cerbot with the following command.
Follow the instructions. Agree to terms.You need to map the domain name to the IP on this server. Use the same domain namefor the SSL. For example,
Remove the default SSL file provided by the Apache.
Since we did not alter anything in apache. Certbot will generate the following conf file.
We will add forwarding to this file. You can place it below the line containing
DocumentRoot here is useless. All the forwarding will be done to tomcat.
Enable Proxy Modules
Now enable the following modules before restarting apache server
If you have port 443 opened on your linux machine
https://api.example.com/webapp will take to the desired webapp
If correctly configured, apache should restart properly and all requests sent to
will be forward to
Mapping domain name to tomcat
Newer versions of tomcat check for the origin header. If the below request is made without the
Origin header using any http clientit will be successful. But the origin header is used by tomcat to match it against the host name specified in server.xmlSo our next task is to update the host name value in server.xml.
Does tomcat requires
Origin header to work? NO. But if you carry a origin header it should match the host nameSo a call from
Origin header as 'api.example.com' (in case of a browser) will not work since
<Host name='localhost'>is the default value.
Update the host name in server.xml to match the domain name used in the virtual host of apache server.You need to change the
Also update your connector tag in server.xml
The following attributes inform tomcat, it is being accessed via a reverse proxy with ssl.
If you do not perform the above step of adding proxy to
Connector tag, every POST request will throw 403 error.
Close Port 8080
Also, care to close the 8080 port from public access so that the users cannotdirectly open the tomcat server.
The above command helps you to test if everything is configured correctly with apache
Apache SSLCertificateFile error: Does not exist or is empty.
If you get this error run the command given below
The error will tell you the file from /etc/letsencrypt/live but they are linked from /etc/letsencrypt/archive so changing permission for /etc/letsencrypt/live will not help
Updates letsencrypt have done recently changing permissions on archive doesn't work. The following will result in
Synatax OK from
Use Java's Keytool to create a CSR and install your SSL/TLS certificate on your Tomcat (or other Java-based) server
Apache Tomcat Ssl Pfx
Use these instructions to generate your certificate signing request (CSR) and install your SSL/TLS certificate on your Tomcat server using Java’s Keytool.
Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart the Tomcat service.
To create your certificate signing request (CSR), see Tomcat Server: Create Your CSR with Java Keytool.
To install your SSL certificate, see Tomcat Server: Install and Configure Your SSL/TLS Certificate.
Apache Tomcat Ssl Cert
To view these instructions in Spanish, see CSR para Tomcat and Tomcat Instalar Certificado SSL.
If you are looking for a simpler way to create CSRs, and install and manage your SSL/TLS certificates, we recommend using the DigiCert® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and prepare your SSL/TLS certificate file for installation on your Tomcat server. See Tomcat: Create CSR & Install SSL/TLS Certificate with the DigiCert Utility.
I. Tomcat Server: Create Your CSR with Java’s Keytool
Use the instructions in this section to create a new keystore (.jks) file and to generate your CSR.
Recommended Method: Use the DigiCert Java Keytool CSR Wizard
Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR.
Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal.
The Java keytool utility creates both your private key and your certificate signing request, and saves them to two files: your_common_name.jks, and your_common_name.csr.
You can then copy the contents of the CSR file and paste it into the CSR text box in our order form.
Skip to Step 2, part 3: Save and Back-up Your Keystore File.
Do you prefer a more manual approach to generating your Tomcat keystore and CSR? Follow the instructions below.
Step 1: Use Keytool to Create a New Keystore
Important: We recommend you generate a new keystore following the process outlined in this section. Installing a new certificate to an old keystore often ends in installation errors or the SSL/TLS certificate not working properly. Before you begin this process, backup and remove any old keystores.
Navigate to the directory where you plan to manage your keystore and SSL/TLS certificate.
Enter the command below.
In the command above, your_site_name should be the name of the domain you want to secure with this SSL/TLS certificate. When ordering a Wildcard certificate, do not include the asterisk (*) in the filename (e.g., your_site_name). The asterisk is not a valid keytool character.
Create a Password
When prompted, create a password for your Keystore.
Note: You will specify this password in your Tomcat configuration file and then use it to generate your CSR and to import your certificate.
Store this password somewhere safe, such as a trusted and secured password manager.
Enter your SSL/TLS certificate information.
Important: When prompted for the first and last name, DO NOT type your first and last name. Instead, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com). Are you are ordering a Wildcard Certificate? Then your FQDN must begin with an asterisk (*). (e.g.,*.yourdomain.com).
Enter your Organization information.
When prompted to verify your information, type y or yes to confirm.
When asked for a 'key password for <server>', press enter to use the password you just created for the keystore file.
Your keystore file, your_site_name.jks, is now created and in your current working directory.
Step 2: Generate a Certificate Signing Request (CSR) from your New Keystore
In Keytool, type the following command:
In the command above, your_site_name should be the name of the keystore file you created in Step 1: Use Keytool to Create a New Keystore or when using the DigiCert Java Keytool CSR Wizard.
When prompted, enter the password you created earlier (when you created your new keystore).
In your current directory, csr.txt (e.g., your_site_domain.txt) now contains your CSR.
Save and Back-up Your Keystore File
Take note of the path to your keystore file (your_site_domain.jks) as your SSL/TLS certificate will be installed to it later.
We recommend that you create a back-up copy of your Keystore file (your_site_domain.jks) before continuing. Having a back-up of the Keystore file can help resolve issues that may occur during certificate SSL/TLS installation.
Order Your SSL/TLS Certificate
Open the .csr file you created with a text editor.
Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.
Make sure that when you Select Server Software, you select Tomcat.
Tomcat SSL/TLS Certificates, Guides, & TutorialsBuy NowLearn More
After you’ve received your SSL/TLS certificate from DigiCert, you can install it on your Tomcat server.