To use an SSL certificate with Tomcat, you need to store it in a Java keystore File. You can generate both the keystore and the certificate using the Java command keytool.

Step 0: Find your keytool

Make sure you have Java and keytool command (ships with Java) installed. If you installed the JDK or JRE yourself it may not be in your $PATH.

For example, my keytool is in ./jdk1.8/bin/.

Step 1: Generate the keystore and the certificate

Before we begin, a note about the “alias” and the “common name” of the certificate:

So let’s generate a strong 4096-bit certificate that is valid for 2 years.

# adjust the path to `keytool`, ALIAS and the path to the keystore accordingly
./jdk1.8/bin/keytool -genkey -keystore /srv/jakarta/.keystore -alias ALIAS \
    -keyalg RSA -keysize 4096 -validity 720
Enter keystore password: # well, enter something
Re-enter new password: # same as above
What is your first and last name?
  [Unknown]:  example.com # !!! IMPORTANT this is the domain name, NOT YOUR name
What is the name of your organizational unit?
  [Unknown]:  # enter something or leave empty
What is the name of your organization?
  [Unknown]:  # enter something or leave empty
What is the name of your City or Locality?
  [Unknown]:  # enter something or leave empty
What is the name of your State or Province?
  [Unknown]:  # enter something or leave empty
What is the two-letter country code for this unit?
  [Unknown]:  # enter something or leave empty
Is CN=example com, OU=Foo, O=Bar, L=City, ST=AA, C=FB correct?
  [no]:  yes
Enter key password for <lea-prod>
    (RETURN if same as keystore password): # Press RETURN

Great, now the keystore has been created (if it didn’t exist already) and your self-signed certificate has been added to it.

Step 2: Configure Tomcat

To use the new certificate, configure your Tomcat accordingly:

Activate the HTTPS-Connector in your conf/server.xml. Adjust keyAlias, keystoreFile and keystorePass accordingly:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keyAlias="ALIAS" keystoreFile="/srv/jakarta/.keystore"
           keystorePass="PW from step 1" />

And that’s it! Restart Tomcat and you’re ready!

Spread the word!

share on Hacker News