Tomcat SSL certificate installation

From Oxxus Wiki

Jump to: navigation, search

Important thing to note is that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server.

When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests.

Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser.

In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.

Contents

SSL with Apache as frontend

For installation of SSL certificate on Apache web server please refer to the Apache SSL installation documentation page.

SSL with Tomcat keystore

Creating a self-signed certificate

Following steps are needed in order to create a self-signed certificate.

To start, create a keystore file, execute the command below and enter the desired password along with necessary information for the certificate.

keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/my/keystore

Then uncomment and adjust the line "SSL HTTP/1.1 Connector" in server.xml file, as needed. Ensure that the password matches the one you set for your keystore and that the path is correct.

Now you can restart Tomcat to verify that the configuration worked.

Installing SSL certificate from CA

To obtain certificate from a CA, certificate request file needs to be created. Before proceeding further, all steps above need to be completed first.

To create the request, use the following command:

keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>

Now you have your certificate request (certreq.csr) which you can submit to your CA of choice to receive a SSL certificate.

When you receive the certificate file from your CA, you will need to import the Chain Certificate from CA first.

Download link where you get get the Chain Certificate is usually available from your CA website.

keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>

And finally import your own certificate.

keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>

Restart Tomcat and verify that the configuration works.

Problems

Make sure that all the paths are correct and that you are using proper password for the keystore file.

Our default Tomcat installation package comes with Java Secure Socket Extensions (JSSE) package. There should be no need to install it, but if you get an error similar to what is listed below, please contact our support and we'll install the missing libraries for you.

java.security.NoSuchAlgorithmException

Notes

Oxxus provides its customers with wide variety of SSL certificates at best prices. These include standard SSL certificates, extended and wildcard certificates by major SSL issuers. If you are interested in obtaining an SSL certificate, let us help you, we will also happily install the certificate on your VPS.


External links

Contact About Us Support Network Servers Java Hosting Oxxus.net Order Now! Dedicated Servers VPS Hosting Tomcat Hosting Java Hosting Money Back Guarantee Privacy Policy Oxxus.net Terms of 
Service Contact About Us Servers Networks Support Domain Names SSL Certificates Java Wiki Tutorials E-learning 
Platforms