The following instructions will guide you through the SSL Certificate installation process on Tomcat. If you have more than one server or device, you will need to install the certificate on each server or device you need to secure.
- Convert your certificate files
Convert your certificate files from .PEM (.cer or .crt) to PKCS#7 (.p7b) format. You can easily do this on your own system by running the OpenSSL command below.
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Save the certificate.p7b certificate file to the same directory as your keystore.
- Access your Directory
Go to the same Directory where you previously saved the keystore and Certificate Signing Request (CSR).
Note: You must install the certificate file on the same keystore and under the same "alias name" (e.g., "-alias server") that you used to generate your CSR. If not, you will encounter problems during installation and may have to start over.
- Run the Install command
To install the certificate file in your keystore, run the following command:
keytool -import -trustcacerts -alias server -file your_file_name.p7b -keystore your_domain_name.jks
Note: Replace "your_domain_name" with the primary domain you will be securing and "your_file_name" with the PKCS#7 file name that you recently converted and saved.
You should get a confirmation that the "Certificate reply was installed in keystore". If you are prompted to trust the certificate, type y or yes.
Your keystore file (your_domain_name.jks) is now ready to be used on your Tomcat Server. Now, you are ready to configure your server to use your certificate.
Before your Tomcat server can accept secure connections, you need to configure an SSL Connector.
- Open the .xml file
Open the .xml file from your server in a text editor such as Notepad.
Note: Typically, the server.xml file is in the conf folder in your Tomcat’s home directory.
- Locate your connector
Locate the connector that you intend to use the new keystore to secure.
Usually, a connector with port 443 or 8443 is used.
- Uncomment the connector
Uncomment the connector – if necessary – by removing the comment tags (< ! – and – >).
- Enter the keystore filename and password
Enter the correct keystore filename and password. See example below:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true" clientAuth="false"
sslProtocol="TLS" keyAlias="server"
keystoreFile="/home/user_name/your_domain_name.jks"
keystorePass="your_keystore_password" />
Note: If you are using a version prior to Tomcat 7, please change the word "keystorePass" to "keypass".
- Save your changes
Save all your changes made to the server.xml file.
- Restart Tomcat
Restart the Tomcat service to complete the installation process.
Your certificate is now installed. You can navigate to your site in a web browser and view the certificate/site information to verify if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.
