Tomcat Ssl

Tomcat ssl certificate install

Generate a CSR and Install an SSL on your Tomcat server in no time. Tomcat is an open-source web-server by Apache Software Foundation, which executes Java servlets and provides web-pages that include Java Server Page coding. Often, it is described as ‘reference implementation’ of Java Server page specifications and Java Servlet. CSR, CSR Generation, SSL Server Certificate, Tomcat These instructions will show you how to create a Certificate Signing Request (“CSR”) in Tomcat using the keytool command. Tomcat’s “keystore” is a file to hold security-related items like keys and certificates. JAVAOPTS restriction is required, otherwise Tomcat (which is powered by Java8) will fall back to support earlier SSL protocols. Start up Tomcat C:apache-tomcat-7.0.64-64bitbinstartup.bat We can see JAVAOPTS appears in Tomcat startup log. Tomcat Server: Install Your SSL/TLS Certificate After DigiCert validates your order and issues your SSL/TLS certificate, you can use the DigiCert® Certificate Utility for Windows, to prepare the certificate file for installation on your Tomcat server. The HTTPS service of the Tomcat server will not run unless a server certificate has been installed. Use the procedure outlined below to set up a server certificate that can be used by Tomcat to enable SSL. One tool that can be used to set up a Tomcat server certificate is keytool, a key and certificate management utility. It enables users to.

Install LetsEncrypt Certbot Certificate with Apache Server and reverse proxy on tomcat server


We assume the following is performed before proceeding.

  • Linux server installed
  • Apache Tomcat running on port 8080 on the same machine.
  • Domain has been attached to this server (e.g. api.example.com)

If the server is pointing to example.com, a virtual host for api.example.com is required to be setup before we can proceed with this tutorial.

Check Servers

Considering you have a web app running on tomcat. Please check if the following is accessible and working.

Why not use certbot on Tomcat

Tomcat Sslprotocol

  • Tomcat usually doesn’t bind to port 80
  • Cerbot certificate renewal may be challenging with tomcat.
  • Tomcat uses Java Keystores but certbot creates pem files.
  • Cerbot needs graceful reloads, tomcat doesn't go well with that.

There are many benefits of using Apache in front of tomcat. This leaves tomcat from the burden of managing SSL and proxy.

Install Apache Server

Apache Server is installed on default port 80.This should open the default apache page.http://api.example.com/

Let's Encrypt SSL on Apache

Let's encrypt lets you install free SSL certificate which can be renewed. In this article, we are going to install let's encrypt on apache and forward the requests to tomcat.

If you have already installed cerbot and gettign the following error

Upgrade cerbot with the following command.

Follow the instructions. Agree to terms.You need to map the domain name to the IP on this server. Use the same domain namefor the SSL. For example, api.example.com

Remove the default SSL file provided by the Apache.

Proxy Configuration

Since we did not alter anything in apache. Certbot will generate the following conf file.

We will add forwarding to this file. You can place it below the line containing DocumentRoot

DocumentRoot here is useless. All the forwarding will be done to tomcat.

Enable Proxy Modules

Now enable the following modules before restarting apache server

If you have port 443 opened on your linux machine https://api.example.com/webapp will take to the desired webapp

If correctly configured, apache should restart properly and all requests sent to

will be forward to

Mapping domain name to tomcat

Newer versions of tomcat check for the origin header. If the below request is made without the Origin header using any http clientit will be successful. But the origin header is used by tomcat to match it against the host name specified in server.xmlSo our next task is to update the host name value in server.xml.

Does tomcat requires Origin header to work? NO. But if you carry a origin header it should match the host nameSo a call from api.example.com with Origin header as 'api.example.com' (in case of a browser) will not work since <Host name='localhost'>is the default value.

Update the host name in server.xml to match the domain name used in the virtual host of apache server.You need to change the name='localhost' to name=api.example.com

Also update your connector tag in server.xml

Tomcat Ssl Configuration

The following attributes inform tomcat, it is being accessed via a reverse proxy with ssl.

Tomcat Ssl

If you do not perform the above step of adding proxy to Connector tag, every POST request will throw 403 error.

Close Port 8080

Also, care to close the 8080 port from public access so that the users cannotdirectly open the tomcat server.

The above command helps you to test if everything is configured correctly with apache

Apache SSLCertificateFile error: Does not exist or is empty.

If you get this error run the command given below

The error will tell you the file from /etc/letsencrypt/live but they are linked from /etc/letsencrypt/archive so changing permission for /etc/letsencrypt/live will not help


Updates letsencrypt have done recently changing permissions on archive doesn't work. The following will result in Synatax OK from

Setting Up a Server Certificate#

Tomcat ssl logIn order to implement SSL, a Web server must have an associated Certificate for each external interface, or IP address, that accepts secure connections. The theory behind this design is that a server should provide some kind of reasonable assurance that its owner is who you think it is, particularly before receiving any sensitive information. It may be useful to think of a certificate as a 'digital driver's license' for an Internet address. It states with which company the site is associated, along with some basic contact information about the site owner or administrator.Tomcat Ssl

The Public Key Infrastructure is used to create this environment.

The Certificate is cryptographically signed by its owner and is difficult for anyone else to forge. For sites involved in e-commerce, or any other business transaction in which authentication of identity is important, a certificate can be purd from a well-known Certificate Authority (CA) such as Verisign or Thawte.

If authentication is not really a concern, such as if an administrator simply wants to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection, you can simply save the time and expense involved in obtaining a CA certificate and simply use a self-signed certificate.

Certificates are used with the HTTPS protocol to authenticate Web clients. The HTTPS service of the Tomcat server will not run unless a server certificate has been installed. Use the procedure outlined below to set up a server certificate that can be used by Tomcat to enable SSL.

One tool that can be used to set up a Tomcat server certificate is keytool, a key and certificate management utility. It enables users to administer their own public/private key pairs and associated certificates for use in self-authentication (where the user authenticates himself/herself to other users/services) or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys (in the form of certificates) of their communicating peers.


A certificate is a digitally-signed statement from one entity (person, company, etc.), saying that the public key (and some other information) of some other entity has a particular value. When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.

The keytool stores the keys and certificates in a so-called keystore. The default keystore implementation implements the keystore as a file. It protects private keys with a password. For more information on keytool, read its documentation at http://java.sun.com/j2se/1.4/docs/tooldocs/solaris/keytool.html.

Generate a key pair and a self-signed certificate.#

The keytool utility enables you to create the certificate. The keytool utility that ships with the J2SE SDK version programmatically adds a Java Cryptographic Extension provider that has implementations of RSA algorithms. This provider enables you to import RSA-signed certificates.To generate the certificate, run the keytool utility as follows, <keystore_filename> with the name of your keystore file:Note: Tomcat is looking for the keystore to have the name .keystore in the home directory of the machine on which Tomcat is running. As this is not very well suited for a server based application, we reccomend <$CATALINA_HOME/bin/.keystore> be used for the <keystore_filename>.

The keytool utility prompts you for the following information:

  1. Keystore password--Enter a password. (You may want to use changeit to be consistent with the default password of the J2SE SDK keystore.)
  2. First and last name--Enter the fully-qualified name of your server. This fully-qualified name includes the host name and the domain name. For testing purposes on a single machine, this will be localhost.
  3. Organizational unit--Enter the appropriate value.
  4. Organization--Enter the appropriate value.
  5. City or locality--Enter the appropriate value.
  6. State or province--Enter the unabbreviated name.
  7. Two-letter country code--For the USA, the two-letter country code is US.
  8. Review the information you've entered so far, enter Yes if it is correct.
  9. Key password for Tomcat--Do not enter a password. Press Return.

A self-signed certificate is acceptable for most SSL communication. If you are using a self-signed certificate, skip to Configuring the SSL Connector. If you'd like to have your certificate digitally signed by a CA, continue with Obtaining a Digitally-Signed Certificate.

Obtaining a Digitally-Signed Certificate#

Get your certificate digitally signed by a CA. To do this,#

  • Generate a Certificate Signing Request (CSR).
  • Send the contents of the <csr_filename> for signing.
  • If you are using Verisign CA, go to http://digitalid.verisign.com/. Verisign will send the signed certificate in email. Store this certificate in a file.
  • Import the signed certificate that you received in email into the server:

Import the certificate (if using a CA-signed certificate).#

If your certificate will be signed by a Certification Authority (CA), you must import the CA certificate. You may skip this step if you are using only the self-signed certificate. If you are using a self-signed certificate or a certificate signed by a CA that your browser does not recognize, a dialog will be triggered the first time a user tries to access the server. The user can then choose to trust the certificate for this session only or permanently.To import the certificate, perform these tasks:
  • Request the CA certificate from your CA. Store the certificate in a file.
  • To install the CA certificate in the Java 2 Platform, Standard Edition, run the keytool utility as follows. (You must have the required permissions to modify the $JAVA_HOME/jre/lib/security/cacerts file.)
NOTE:We recommend that the <trustcacerts-filename> be <$CATALINA_HOME/conf/cacerts>

Configuring the TLS Connector#

By default, an TLS Connector is not enabled. You will need to Configure the TLS Connector in server.xml

An example Connector element for an TLS connector is included in the default server.xml. This Connector element is commented out by default. To enable the TLS Connector for Tomcat, remove the comment tags around the SSL Connector element. To do this, follow these steps.

  • Shutdown Tomcat, if it is running. Changes to the file <JWSDP_HOME>/conf/server.xml are read by Tomcat when it is started.
  • Open the file <TOMCAT_HOME>/conf/server.xml in a text editor.
  • Find the following section of code in the file (try searching for SSL Connector). Remove comment tags around the Connector entry. The comment tags that are to be removed are shown in bold below.
These settings will still show (in some browsers) 'secure, but with minor errors' due to SHA-1 Deprecation

Edit this section so the section looks similar to:

As far as we know, this will pass the SHA-1 Deprecation but we are not confident how many browsers will be able to support this restricted list of Cipher Suite:

  • Save and close the file.
  • Start Tomcat.
The attributes in this Connector element are outlined in more detail in Tomcat Administration Tool.

Verifying SSL Support#

For testing purposes, and to verify that SSL support has been correctly installed on Tomcat, load the default Tomcat introduction page with the following URL:

The https in this URL indicates that the browser should be using the SSL protocol. The port of 8443 is where the SSL Connector was created in the previous step.

The first time a user loads this application, the New Site Certificate dialog displays. Select Next to move through the series of New Site Certificate dialogs, select Finish when you reach the last dialog.

Configuring Container Authentication and Authorization#

We have a couple of examples for Configuring Container Authentication and Authorization:

Tomcat Ssl Certificate

More Information#

There might be more information for this subject on one of the following:
This page (revision-24) was last changed on 09-Aug-2015 09:50 by jimTop