Tomcat - SSL Certificate Installation

Last updated on 28 Sept 2023, 10:23:10.
Category: All about SSL certificates

Java Tomcat

Tomcat - SSL certificate installation

This article shows you how to install an SSL certificate you've received from the Certificate Authority on your Tomcat webserver. If you didn't generate an Certificate Signing Request yet, and didn't order an SSL certificate, you may want to check out how to do so in the « How to generate a certificate request with keytool? » article.

Import your certificate in the Java keystore

Before you configure Tomcat, you need to import the SSL certificate you received in the server's Java keystore. Please check the article « How to install an SSL certificate with keytool? » for detailed instructions on how to import your certificate into the Java keystore.

Configure Tomcat for SSL

Step 1: Configure your Tomcat SSL connector

You need to create a new SSL connector in Tomcat in order to accept secure connections.

Locate Tomcat's server.xml file, usually located in the conf folder of your Tomcat installation, and open it in a text editor.

Look for a connector listening on port 443 or 8443. If you haven't configured an SSL website on Tomcat before, the connector section will be commented out. Remove the comments if necessary and modify the connector's configuration to reflect the correct keystore parameters:

<Connector<strong> port="443"</strong> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" <strong>scheme="https"</strong> <strong>secure="true"</strong> <strong>SSLEnabled="true"</strong> clientAuth="false" <strong>sslProtocol="TLS"</strong> keyAlias="www_server_com" <strong>keystoreFile="/etc/certs/www_server_com.jks"</strong> <strong>keystorePass="your_keystore_password"</strong> />

Save your changes to the server.xml file.

Step 2: Restart Tomcat

Restart Tomcat to reload your new SSL connector configuration.

Step 3: Troubleshooting

If your certificate doesn't display correctly in a browser, check if all certificates are being sent correctly to a browser with the following command, replacing www.kinamo.be with your own domain name:

openssl s_client -connect www.kinamo.be:443
...
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=Private Organization/serialNumber=0861.077.215/C=BE/ST=Antwerpen/L=antwerpen/O=Kinamo NV/CN=www.kinamo.be
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority

You should see a chain of certificates starting with your own one, and going up through the different intermediate certificates.

Step 4: Security Test

Visit Qualys SSL Labs' test page to check if your web server and SSL certificate are up to par with modern-day security standards.


Related articles

Hoe de taal van Kinamo webmail aanpassen

Dit FAQ-artikel legt uit hoe je de taal van de gebruikersinterface kunt aanpassen in Kinamo Webmail

Read more

Can I read my e-mail online (through webmail)?

Each Kinamo e-mail address can be checked through an extensive webmail e-mail client. The only thing you need are an...

Read more

Create an automatic SPAM filter in the Kinamo Webmail

Do you have an email with Kinamo? Discover here how to create a special filter via Kinamo Webmail to keep...

Read more

Need extra help?

Were not all your questions answered?
Don't worry, we will be happy to help you via a support request!

Kinamo

Select your language

All languages: