Tomcat - SSL Certificate Installation

Last updated on 28 Sep 2023, 10:23:10.
Category: All about SSL certificates

Java Tomcat

Tomcat - SSL certificate installation

This article shows you how to install an SSL certificate you've received from the Certificate Authority on your Tomcat webserver. If you didn't generate an Certificate Signing Request yet, and didn't order an SSL certificate, you may want to check out how to do so in the « How to generate a certificate request with keytool? » article.

Import your certificate in the Java keystore

Before you configure Tomcat, you need to import the SSL certificate you received in the server's Java keystore. Please check the article « How to install an SSL certificate with keytool? » for detailed instructions on how to import your certificate into the Java keystore.

Configure Tomcat for SSL

Step 1: Configure your Tomcat SSL connector

You need to create a new SSL connector in Tomcat in order to accept secure connections.

Locate Tomcat's server.xml file, usually located in the conf folder of your Tomcat installation, and open it in a text editor.

Look for a connector listening on port 443 or 8443. If you haven't configured an SSL website on Tomcat before, the connector section will be commented out. Remove the comments if necessary and modify the connector's configuration to reflect the correct keystore parameters:

<Connector<strong> port="443"</strong> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" <strong>scheme="https"</strong> <strong>secure="true"</strong> <strong>SSLEnabled="true"</strong> clientAuth="false" <strong>sslProtocol="TLS"</strong> keyAlias="www_server_com" <strong>keystoreFile="/etc/certs/www_server_com.jks"</strong> <strong>keystorePass="your_keystore_password"</strong> />

Save your changes to the server.xml file.

Step 2: Restart Tomcat

Restart Tomcat to reload your new SSL connector configuration.

Step 3: Troubleshooting

If your certificate doesn't display correctly in a browser, check if all certificates are being sent correctly to a browser with the following command, replacing with your own domain name:

openssl s_client -connect
Certificate chain
 0 s:/ Organization/serialNumber=0861.077.215/C=BE/ST=Antwerpen/L=antwerpen/O=Kinamo NV/
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority

You should see a chain of certificates starting with your own one, and going up through the different intermediate certificates.

Step 4: Security Test

Visit Qualys SSL Labs' test page to check if your web server and SSL certificate are up to par with modern-day security standards.

Related articles

Kinamo mail server settings (mail server cheat sheet)

The following article provides the basic settings and server names (domain names) for the Kinamo mail infrastructure. These settings allow...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

This article explains how you may create a filter that will automatically place SPAM messages in a special folder, so...

Read more

Order an SSL certificate? What is an SSL certificate?

You need to order an SSL certificate? But what is an SSL certificate? And why is everyone saying that it...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Select your language

All languages: