How to Configure SSL Certificate in Tomcat

We are assuming that you already have installed a working Tomcat server in your system.

Step 1 – Create a Keystore

A Java KeyStore (JKS) is a repository of security certificates. keytool is the command-line utility for creating and managing Keystore. This command is available with JDK and JRE both. We just need to make sure that JDK or JRE is configured with the PATH environment variable.
$ keytool -genkey -alias -keyalg RSA -keystore /etc/pki/keystore
[Samle Output]
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Rahul Kumar
What is the name of your organizational unit?
  [Unknown]:  Web
What is the name of your organization?
  [Unknown]:  TecAdmin Inc.
What is the name of your City or Locality?
  [Unknown]:  Delhi
What is the name of your State or Province?
  [Unknown]:  Delhi
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Rahul Kumar, OU=Web, O=TecAdmin Inc., L=Delhi, ST=Delhi, C=IN correct?
  [no]:  yes

Enter key password for 
        (RETURN if same as keystore password):
Re-enter new password:

Step 2 – Get CA Signed SSL [ Ignore SelfSigned Users ]

You don’t need to do this step if you are going to use a self-signed SSL certificate. If you want to purchase a valid SSL from certificate authorities, then you need to first create a CSR, use the following command to do it. Create CSR:
$ keytool -certreq -keyalg RSA -alias -file svr1.csr -keystore /etc/pki/keystore
The above command will prompt for Keystore password and generate the CSR file. Use this CSR and purchase ssl certificate from any certificate authorities. After being issued the certificate by CA, you will have the following files – root certificate, intermediate certificate, and certificate file. In my case the filenames are A. root.crt (root certificate) B. intermediate.crt (intermediate certificate) C. ( Issued certificate by CA ) Install the root certificate:
$ keytool -import -alias root -keystore /etc/pki/keystore -trustcacerts -file root.crt
Install the intermediate certificate:
$ keytool -import -alias intermed -keystore /etc/pki/keystore -trustcacerts -file intermediate.crt
Install the issued certificate:
$ keytool -import -alias -keystore /etc/pki/keystore -trustcacerts -file

Step 3 – Setup Tomcat Keystore

Now go to your Tomcat installation directory and edit conf/server.xml file in your favorite editor and update the configuration as below. You may also change the port from 8443to some other port if required.

Step 4 – Restart Tomcat

Use your init script (if have) to restart tomcat service, In my case, I use shell scripts ( and for stopping and starting tomcat.

Step 5 – Verify Setup

As we have done all the required configuration for tomcat setup. Let's access tomcat in your browser on the configured port in step 2. tomcat-with-ssl Note: This article has been tested with Tomcat 7 on CentOS 6.5 using Java 8.

Was this article helpful?

mood_bad Dislike 0
mood Like 0
visibility Views: 5961