Tags for this FAQ item:
Java Tomcat

Help us by rating this article!

Rated 1 stars, based on 2 votes

Tomcat - SSL Certificate Installation

Last updated: 14/01/2016

This article shows you how to install an SSL certificate you've received from the Certificate Authority on your Tomcat webserver. If you didn't generate an Certificate Signing Request yet, and didn't order an SSL certificate, you may want to check out how to do so in the « How to generate a certificate request with keytool? » article.

Before you configure Tomcat, you need to import the SSL certificate you received in the server's Java keystore. Please check the article « How to install an SSL certificate with keytool? » for detailed instructions on how to import your certificate into the Java keystore.

You need to create a new SSL connector in Tomcat in order to accept secure connections.

Locate Tomcat's server.xml file, usually located in the conf folder of your Tomcat installation, and open it in a text editor.

Look for a connector listening on port 443 or 8443. If you haven't configured an SSL website on Tomcat before, the connector section will be commented out. Remove the comments if necessary and modify the connector's configuration to reflect the correct keystore parameters:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="www_server_com" keystoreFile="/etc/certs/www_server_com.jks" keystorePass="your_keystore_password" />

Save your changes to the server.xml file.

Restart Tomcat to reload your new SSL connector configuration.

If your certificate doesn't display correctly in a browser, check if all certificates are being sent correctly to a browser with the following command, replacing www.kinamo.be with your own domain name:

openssl s_client -connect www.kinamo.be:443
...
Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=BE/businessCategory=Private Organization/serialNumber=0861.077.215/C=BE/ST=Antwerpen/L=antwerpen/O=Kinamo NV/CN=www.kinamo.be
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
 1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Extended Validation SSL CA - G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Primary Certification Authority

You should see a chain of certificates starting with your own one, and going up through the different intermediate certificates.

Visit Qualys SSL Labs' test page to check if your web server and SSL certificate are up to par with modern-day security standards.