How to configure Tomcat with SSL Support

Introduction

Apache Tomcat is the opensource implementation of web server specifically designed to run Java Servlets and JSP pages. In this article, we will learn how to configure Tomcat with SSL support.

How to enable SSL from scratch

To enable SSL, let’s first create self-signed keystore. Enter the below command on your Linux terminal and provide required details. Make sure to use your domain name as answer for question ‘What is your first and last name?’.

keytool -genkey -alias mydomain.com -keyalg RSA -keystore mydomain.com.jks


Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  mydomain.com
What is the name of your organizational unit?
  [Unknown]:  Software Development
What is the name of your organization?
  [Unknown]:  Laymanclass
What is the name of your City or Locality?
  [Unknown]:  Hyderabad
What is the name of your State or Province?
  [Unknown]:  Andhra Pradesh
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=mydomain.com, OU=Software Development, O=Laymanclass, L=Hyderabad, ST=Andhra Pradesh, C=IN correct?
  [no]:  yes

This will generate mydomain.com.jks file in current directory. Now generate CSR (Certificate Signing Request) with the help of keystore.

keytool -certreq -keyalg RSA -alias mydomain.com -file mydomain.com.csr -keystore mydomain.com.jks 

Enter keystore password:

This command will generate CSR named mydomain.com.csr in current directory. Submit this CSR to your CA (Certificate Authority) like Godaddy, Comodo. CA will provide certificates for your domain.

Once you receive certificates, import them in above keystore. CA will issue multiple certificates. You have to look for 2 certificates.

• root certificate (e.g In case of Godaddy, something like gd_bundle-g2-g1.crt)
• domain certificate (e.g. In case of Godaddy, something like 1dafd1sfa2.crt)

First import root certificate. Mostly file named something like ‘bundle’ contains root certificate. You can confirm this with your CA.

keytool -import -alias root -keystore mydomain.com.jks -trustcacerts -file bundle.crt 

Then import your domain certificate. Here we are assuming name of file is mydomain.com.crt. You can confirm this with your CA.

keytool -import -alias mydomain.com -keystore mydomain.com.jks -file mydomain.com.crt

Now, move this keystore file to Tomcat configuration folder (mostly /etc/tomcat7).

mv mydomain.com.jks /etc/tomcat7/

Finally, configure Tomcat with SSL using this key file. Open /etc/tomcat7/server.xml in your favourite editor. Look for Connector settings something like below.

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" />

Add below three lines along with above config.

SSLEnabled="true" 
scheme="https" 
keystoreFile="/etc/tomcat7/mydomain.com.jks" keystorePass="<your-keystore-password>" clientAuth="false" sslProtocol="TLS"

So final config will look something like below. Do NOT forget to add your password with ‘keystorePass’.

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           SSLEnabled="true" 
           scheme="https" 
           keystoreFile="/etc/tomcat7/mydomain.jks" keystorePass="<your-keystore-password>" clientAuth="false" sslProtocol="TLS"
           redirectPort="8443" />

That’s all. Now restart tomcat service and enjoy enabled SSL.

systemctl restart tomcat7

How to enable SSL using an existing CSR file

If you have an existing CSR file validated by CA (Certificate Authority), you can directly use it. Generally after validation of CSR, CA issues multiple certificates. For example, in case of GoDaddy, you have to look for 2 files with extension crt. We also need original key file used to generate CSR. (For more info see this article on how to generate CSR file). So in all we need 3 files.

• Domain Certificate issued by CA ( e.g. In case of Godaddy something like 31qqwfw1313.crt)
• Root Certificate issued by CA ( e.g. In case of Godaddy something like gd_bundle-g2-g1.crt)
• Key file used to generate CSR

We need to import both these files in keystore and configure Tomcat to use this keystore. It is very easy. Follow below steps for this.

First create keystore.

keytool -genkey -alias mydomain.com -keyalg RSA -keysize 2048 -keystore mydomain.com.jks

Now combine key and certificate file in pkcs12 format.

openssl pkcs12 -export -inkey mydomain.com.key -in mydomain.com.crt -out mydomain.com.pkcs12

Then import pkcs12 file to keystore .

keytool -importkeystore -destkeystore mydomain.jks -srckeystore mydomain.pkcs12 -srcstoretype PKCS12

Move this keystore file to Tomcat configuration folder (mostly /etc/tomcat7).

mv mydomain.jks /etc/tomcat7/

Finally, configure tomcat to enable SSL using this key file. Open /etc/tomcat7/server.xml in your favourite editor. Look for connector settings something like below.

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           redirectPort="8443" />

Add below three lines along with above config.

SSLEnabled="true" 
scheme="https" 
keystoreFile="/etc/tomcat7/mydomain.jks" keystorePass="your-keystore-password" clientAuth="false" sslProtocol="TLS"

So final config will look like below. Do NOT forget to add your password with ‘keystorePass’.

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           URIEncoding="UTF-8"
           SSLEnabled="true" 
           scheme="https" 
           keystoreFile="/etc/tomcat7/mydomain.jks" keystorePass="your-keystore-password" clientAuth="false" sslProtocol="TLS"
           redirectPort="8443" />

That’s all. Now restart tomcat service and we’re all set.

systemctl restart tomcat7

Hope this article helps you ! Stay awesome !!!