To use an SSL certificate with Tomcat, you need to store it in a Java keystore File. You can generate both the keystore and the certificate using the Java command
Step 0: Find your
Make sure you have Java and
keytool command (ships with Java) installed. If you installed the JDK or JRE yourself it may not be in your
For example, my
keytool is in
Step 1: Generate the keystore and the certificate
Before we begin, a note about the “alias” and the “common name” of the certificate:
- The alias is simply a “label” used by Java to identify a specific certificate in the keystore (a keystore can hold multiple certificates). It has nothing to do with the server name, or the domain name of the Tomcat service.
- The common name (CN) is an attribute of the SSL certificate. Your browser will usually complain if the CN of the certificate and the domain in the URI do not match (but since you’re using a self-signed certificate, your browser will probably complain anyway…). HOWEVER, when generating the certificate, the keytool will ask for “your first and last name” when asking for the CN, so keep that in mind. The rest of the attributes are not really that important
So let’s generate a strong 4096-bit certificate that is valid for 2 years.
Great, now the keystore has been created (if it didn’t exist already) and your self-signed certificate has been added to it.
Step 2: Configure Tomcat
To use the new certificate, configure your Tomcat accordingly:
Activate the HTTPS-Connector in your
And that’s it! Restart Tomcat and you’re ready!