How to Install SSL Certificate on Tomcat?
Are you looking to secure your Tomcat server with SSL but don’t know where to start? Look no further! This comprehensive guide will take you through all the crucial steps of a proper SSL installation in Tomcat. So, let’s jump right into the installation process to safeguard your server’s security.
Let’s get started!
First Things First: Generate CSR
CSR (Certificate Signing Request) comprises domain ownership and company information. This is how you can generate it.
- Open our CSR Generator Tool
- Fill in the Required Information
- Choose a Key Size and Algorithm
- Generate the CSR
The next step is to install your SSL cert for Tomcat.
Steps for Installing an SSL Certificate on the Tomcat Server
Step-1: Download and Extract the SSL certificate sent by the CA
When you purchase an SSL certificate, the certificate authority will email you a compressed file that contains root, intermediate, & primary certificate files for installation. Download & extract them onto the Tomcat web server directly. This is where the Keystore was added while the CSR was generated.
Remember that the SSL certificate will only work with the Keystore created during the CSR generation process. If you use a different key store, the certificate won’t function correctly.
Moreover, please make sure that all the certificate files are installed in the correct order on the key store. Failing to do so could result in issues with the SSL installation and potentially compromise your website’s security.
Step-2: Import the Root Certificate
- Open the command prompt or the terminal window.
- Navigate to the Java installation directory by using the ‘cd’ command.
cd C:\Program Files\Java\jdk1.8.0_211\bin
- Import the root certificate by running the following command:
keytool -import -trustcacerts -alias root -file [root certificate file path] -keystore [keystore file path]
- Make sure to replace the ‘[root certificate file path]’ and ‘[key store file path]’ with the suitable paths relevant to your system.
- Type ‘yes’ to accept the Certificate and hit Enter.
- When the process is completed, it will show a message which reads like this ‘Certificate was added to Keystore.‘
Step-3: Importing the Intermediate Certificate
- Import the intermediate certificate by running the following command:
keytool -import -trustcacerts -alias intermediate -file [intermediate certificate file path] -keystore [keystore file path]
- Make sure to replace the “[intermediate certificate file path]” and “[keystore file path]” with the appropriate paths on your system.
- After completing this process, it will again show a message like this ‘Certificate was added to Keystore.‘
Step-4: Install the Primary Certificate
- Install the primary certificate by running the following command:
keytool -import -trustcacerts -alias tomcat -file [primary certificate file path] -keystore [keystore file path]
- Make sure to replace the “[primary certificate file path]” and “[keystore file path]” with the appropriate paths on your system.
- The successful installation message will pop up again after running the command.
- After the successful installation of root, Intermediate, and primary certificates, the next step is to configure the server for using the Keystore file.
Step 5: Server Configuration
During the server configuration, Tomcat looks for the Keystore with the filename. Keystore and default password ‘change it’ in the system’s home directory.
For Linux and Unix OS, the directory can be found at /home/user-name/
For Windows users, you can find the directory at C:\Documents and Settings\user-name\
Note: The users can change the password and file location if they deem it is necessary.
- Copy your-domain-name.key Keystore file to the home directory.
- Open the server.xml file located in …~/conf/ using any text editor.
- You may have to uncomment the SSL connector.
- Find the SSL connector that will use the new Keystore. Ensure that the Connector Port is set to 443.
- While configuring the SSL connector, specify the exact location of the Keystore file and the correct KeystorePass.
Note: If you use Tomcat 7.0.X or 8.0.X, replace KeystorePass with Keypass in the configuration.
- After completing the connector configuration process, it should appear like the following:
<Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true"> <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/working/mykeystore" keystorePass="password"/>
- After making changes to the server.xml file, save the modifications and proceed to restart the Tomcat Server.
- Once you have installed an SSL certificate in Tomcat, you must regularly check for any unnoticed errors that could affect its performance. You can use the SSL Checker Tool, which provides instant scans and reports.