Beginner’s Guide to Setup an SSL Certificate in Tomcat Web Server
Installing an SSL certificate on a Tomcat web server enhances website security and user trust. The SSL certificate installation on Tomcat requires specific steps to secure your web applications effectively. This guide explains the process of generating a Certificate Signing Request (CSR), obtaining an SSL certificate from a trusted Certificate Authority, and configuring Tomcat’s server.xml file.
You will learn to convert certificate formats, import them into a Java keystore, and verify the successful installation. By following these instructions, you can enable HTTPS on your Tomcat server and ensure encrypted data transmission between your server and website visitors.
Prerequisites for SSL Installation on Tomcat
Before starting with the SSL installation process, make sure that the following prerequisites are met:
- Tomcat 7 or later version installed and running. These steps should work on any Tomcat version from 7 onwards.
- Java Runtime Environment (JRE) is installed with a keytool utility bundled with Java.
- Ownership and access to the domain you want to secure with SSL.
- Port 443, or the SSL port, should be open and available.
6 Easy Steps You Can Follow to Install the SSL Certificate on Tomcat Web Server
Follow of the steps involved in installing an SSL certificate on a Tomcat server:
- Generate CSR using Keytool
- Purchase or Obtain SSL Certificate
- Import SSL Certificate into Keystore
- Configure server.xml for SSL
- Restart Tomcat for Changes to Take Effect
- Test the SSL Configuration
Step 1 – Generate CSR using Keytool
The first step is to create a Certificate Signing Request (CSR) and private key using the keytool command with Java JRE.
Here is the keytool command to generate CSR:
keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
This will prompt you to answer some questions:
- Keystore password: Choose a strong password to protect the keystore. Make sure to remember this.
- Your first and last name: Enter the domain name or server name.
- Organizational unit: Enter your organization details.
- Organization: Enter your organization’s legal name.
- City/State: Enter details of your location.
- Country code: Enter the two-letter country code.
Once you answer these prompts, the CSR and private key will be generated and stored in the Tomcat.keystore file.
Run the keytool command from the directory where you want the keystore file generated.
Step 2 – Purchase or Obtain SSL Certificate
Now that you have generated the CSR and private key, the next step is to purchase an SSL certificate from a trusted Certificate Authority (CA).
Here are some popular CAs to consider buying from:
- DigiCert
- Sectigo
- SSL.com
- GlobalSign
- GoDaddy
- Network Solutions
Alternatively, you can also use free SSL certificates provided by Let’s Encrypt.
While purchasing the certificate, you must provide the CSR generated in the first step.
Once the CA issues the SSL certificate, you will get the certificate in a file format such as .crt or .pem.
Step 3 – Import SSL Certificate into Keystore
After obtaining the SSL certificate file from the CA, we need to import this into the keystore, which already contains the private key.
Import the SSL cert to keystore with the following keytool command:
keytool -import -file certificate.crt -alias tomcat -keystore tomcat.keystore
- Replace certificate.crt with your actual SSL certificate file.
- When prompted for the keystore password, use the password you created to generate the CSR.
This will import the CA-signed SSL certificate into the keystore file.
Step 4 – Configure server.xml for SSL
Tomcat’s server.xml configuration file needs to be updated to enable SSL connectivity.
Open the server.xml file located at $CATALINA_HOME/conf/server.xml in a text editor.
Add a Connector tag with the SSL configuration as shown below:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/path/to/tomcat.keystore" keystorePass="mypassword" clientAuth="false" sslProtocol="TLS"/>
The key attributes are:
- scheme=”https”: Enables HTTPS
- secure=”true”: Specifies a secure connection
- SSLEnabled=”true”: Enables SSL for the connector
- keystoreFile: Path to the keystore file containing SSL cert
- keystorePass: Keystore password used when creating CSR
Save the server.xml file after adding this Connector configuration.
Step 5 – Restart Tomcat for Changes to Take Effect
For the SSL settings and connector configuration to take effect, you must restart the Tomcat server.
On Linux/Unix systems, use the following command to restart Tomcat:
$CATALINA_HOME/bin/shutdown.sh $CATALINA_HOME/bin/startup.sh
On Windows, you can restart the Tomcat service from the Services panel.
Once Tomcat restarts, it will start accepting HTTPS requests on port 443 using the SSL certificate.
Step 6 – Test the SSL Configuration
To verify that the SSL certificate was installed correctly, access your website over HTTPS:
https://yourdomain.com
If you get no SSL warnings and see a lock icon in the browser URL bar, the SSL certificate was configured correctly on Tomcat.
You can also use free SSL checker tool to analyze the TLS settings. It will validate your certificate chain and grade the implementation.
And that’s it! Tomcat is now serving traffic securely over HTTPS using the installed SSL certificate.
What Are the Common SSL Issues on Tomcat and How to Troubleshoot Them?
Here are some common issues faced when enabling SSL on Tomcat and how to troubleshoot them:
The browser shows an SSL connection error or warning.
This means there are issues with the SSL certificate configuration. Make sure you imported the valid cert file into the keystore. The keystore path and password provided in server.xml should also match what was used during the CSR generation.
Tomcat does not restart correctly.
Check the logs at $CATALINA_HOME/logs/catalina.out for exceptions or errors. Make sure the keystore path and password match in the Connector SSL configuration.
Port 443 is already in use.
If another program has occupied port 443, change the SSL connector port in server.xml or terminate the process using that port.
HTTPS site is not reachable
Double check that the firewall, load balancer, or proxy allows traffic on port 443. The SSL connector must also be bound to your server’s public IP.
SSL connection works, but some resources fail to load
This happens when some resources are loaded over HTTP instead of HTTPS. Make sure all links and resources are relative or prefixed with HTTPS.
Getting weak cipher or protocol support error
Update the SSL protocols and ciphers in server.xml as per industry best practices. Test your site on Qualys SSL Labs to identify and fix vulnerabilities.
Self-signed certificate warnings
Browsers will show security warnings if you use a self-signed certificate that a trusted CA does not sign. Consider getting a CA-signed certificate to resolve this.
Carefully going through the troubleshooting steps usually helps identify and resolve any SSL problems with Tomcat.
Final Thoughts
In summary, installing an SSL certificate on a Tomcat web server is a crucial step in securing your web application and protecting your users’ sensitive data. Following the steps outlined in this guide, you can quickly generate a self-signed certificate or obtain a trusted SSL certificate from a Certificate Authority, then configure Tomcat to use the certificate.
This process ensures that all client and server communication is encrypted, providing security and building trust with your users. Maintaining and updating your SSL certificate is also important to secure your web application.
Frequently Asked Questions
Here are some common FAQs about setting up and managing SSL certificates on Tomcat:
Does Tomcat support SNI for multiple SSL certificates?
Tomcat supports Server Name Indication (SNI), which allows hosting multiple SSL certificates on the same IP address using different domain names.
Where are the SSL certificate files located on Tomcat?
The SSL certificates and private keys are stored in the Tomcat keystore file, usually named Tomcat.keystore, and located in the Tomcat config directory.
Can I use a PKCS#12 file for the Tomcat keystore?
You can use PKCS#12 keystore files with .p12 extension for SSL configuration on Tomcat. The process is the same as using the JKS format.
What is the default SSL port used by Tomcat?
Port 8443 is the default SSL port used by Tomcat. However, using the standard 443 port for HTTPS traffic is recommended.
How do I enable HTTP/2 on Tomcat?
Add the ALPN protocol to the SSL connector configuration in server.xml. Also, the SSL certificate must use an EC key with HTTPS enabled on the website for HTTP/2 support.
What is client certificate authentication in Tomcat SSL?
It is an advanced Tomcat SSL configuration where clients must present their certificate, validated against truststore, to access the server.
Can Tomcat redirect HTTP to HTTPS?
Tomcat can be configured to automatically redirect insecure HTTP requests over to HTTPS using a few recommended approaches.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.