Sometimes we may need to implement an SSL certificate in tomcat for Java projects. Implementing SSL in tomcat is somehow different from implementing in web servers like Nginx, Apache. In this article, we will learn how to install the SSL certificate on tomcat. We assume that you have already configured the Java environment and the tomcat server is running.
Create a Keystore
Java provides JKS also know as Java KeyStore as a security certificates repository. Both JDK and JRE provide command-line utility tool keytool for creating and managing Keystore. Run the following command to create a KeyStore.
$ keytool -genkey -alias tomcat.linuxways.com -keyalg RSA -keystore /etc/pki/keystore
Create CSR
If you are going to install a self-signed certificate, you can avoid this step. If you want to install purchased SSL certificates, then you need to create a CSR file.
$ keytool -certreq -keyalg RSA -alias tomcat.linuxways.com -file tomcat.csr -keystore /etc/pki/keystore
You will get a prompt to supply a Keystore password. Once the password is submitted, a CSR file will be generated. Use this CSR file to purchase a CA-signed SSL certificate.
Get CA signed SSL certificate
Once the certificate is issued by CA, you will have the following files. A domain (tomcat.linuxways.com) is taken for example.
- tomcat.linuxways.com (CA issued certificate)
- root.crt (Root certificates)
- intermediate.crt (Intermediate certificates)
Install the certificate
Import the CA-signed certificate using the following command.
$ keytool -import -alias tomcat.linuxways.com -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/tomcat.linuxways.com.crt
Where path-to-certificate is the certificate directory and tomcat.linuxways.com.crt is the CA-signed SSL certificate.
Install root certificate
Import root certificate using the following command.
$ keytool -import -alias root -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/root.crt
Where root.crt is the root certificate file.
Install intermediate certificate
Run the following command to import intermediate certificate files.
$ keytool -import -alias intermediateca -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/intermediateca.crt
Where intermediateca.crt is the intermediate certificate file.
Change tomcat configuration
After importing all the required certificates, now it’s time to configure tomcat Keystore. Go to the tomcat installation folder and find the server.xml file. Update the configuration file with the following contents.
$ vi tomcat-installation-directory/config/server.xml
Example.
$ vi /opt/tomcat/config/server.xml <Connector port="4443" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="4443" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" keystoreFile="/etc/pki/keystore" keystorePass="_password_" />
For the demonstration, port 4443 is being used. You can select any ports depending upon your environment.
Restart the tomcat
Certificates installation has been completed. Restart the tomcat server to reflect the changes.
$ path-to-tomcat/bin/shutdown.sh
$ path-to-tomcat/bin/startup.sh
Example,
$ /opt/tomcat/bin/shutdown.sh
$ /opt/tomcat/bin/startup.sh
Verify the certificate
Now access the tomcat server URL using any browser to verify the certificates.
https://tomcat-server:<Port>
Example,
https://tomcat.linuxways.com:4443
Conclusion
In this article, we learned how to generate CSR files and install CA signed SSL certificates in Tomcat for Java projects.