How do I install a SSL/TLS certificate on Tomcat?
Before you begin
- Tomcat includes a certificate utility called Keytool. All of the steps below will be performed using Java keytool.
- Important: In order to install your certificate, you must use the same keystore that was created when you requested the certificate. You must also use the same keystore alias name that was used when the keystore and corresponding private key were generated.
- Never share private keys or keystore files.
- If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
- It is best practice to ensure that you have current and up to date Ciphers and Protocols to ensure the best security when deploying a new Private key and Server Certificate.
- Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
Installing your SSL/TLS Certificate on a Tomcat Server
1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a file namedCertificateBundle.p7b. This file includes your signed SSL/TLS certificate and the combined certificate chain.
2. Type and run the following command on your Tomcat server – the sections that are underlined in this command are variables based on yourkeystore file name and the alias name you used to create your keystore and Certificate Signing Request.
Please note: It is recommended that you type the command into your terminal instead of pasting the command.
keytool –import -trustcacerts -alias server –file CertificateBundle.p7b -keystore yoursite.jks
You will be prompted to supply your keystore password. You must supply the password to complete the import process.
If a prompt appears asking you if you want to trust the certificate, enter yes.
If the certificate installs correctly, you will see a message in the prompt that states “Certificate reply was installed in keystore”
3. Configure your Tomcat server to use the TLS protocol along with the Java Keystore. To do this, you must edit your Tomcat server.xmlfile, which is typically located in the conf folder of your Tomcat’s home directory.
Before making any changes, you should save a copy of your original server.xml file in case you run into any issues.
Open the server.xml file in a text editor where you will need to specify your keystore file name, password, and alias. You should see a section that looks like the following:
<Connector <b>port="443"</b> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" <u><b>keyAlias="server</b></u><b>"</b><u><b>keystoreFile="yourkeystore.jks</b></u><b>"</b> <u><b>keystorePass="your_keystore_password</b></u><b>"</b> />
4. Restart your Tomcat Server to complete the certificate installation process.