Sometimes we may need to implement an SSL certificate in tomcat for Java projects. Implementing SSL in tomcat is somehow different from implementing in web servers like Nginx, Apache.
Tomcat uses a Java KeyStore (JKS) repository to hold all of the security certificates and their corresponding private keys. This requires the use of the keytool utility that comes with the Java Development Kit (JDK) or the Java Runtime Environment (JRE).
Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related SSL Certificate configuration queries on Linux systems.
In this context, we shall look into how to install the SSL certificate on tomcat.
1. Create a Keystore
Java provides JKS also know as Java KeyStore as a security certificates repository. Both JDK and JRE provide command-line utility tool keytool for creating and managing Keystore. Run the following command to create a KeyStore:
$ keytool -genkey -alias tomcat.linuxapt.com -keyalg RSA -keystore /etc/pki/keystore
2. Create CSR
If you are going to install a self-signed certificate, you can avoid this step. If you want to install purchased SSL certificates, then you need to create a CSR file with the below command:
$ keytool -certreq -keyalg RSA -alias tomcat.linuxapt.com -file tomcat.csr -keystore /etc/pki/keystore
You will get a prompt to supply a Keystore password. Once the password is submitted, a CSR file will be generated. Use this CSR file to purchase a CA-signed SSL certificate.
3. Get CA signed SSL certificate
Once the certificate is issued by CA, you will have the following files. A domain (tomcat.linuxapt.com) is taken for example:
i. Install the certificate
Import the CA-signed certificate using the following command:
$ keytool -import -alias tomcat.linuxapt.com -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/tomcat.linuxapt.com.crt
Where path-to-certificate is the certificate directory and tomcat.linuxapt.com.crt is the CA-signed SSL certificate.
ii. Install root certificate
Import root certificate using the following command:
$ keytool -import -alias root -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/root.crt
Where root.crt is the root certificate file.
iii. Install intermediate certificate
Run the following command to import intermediate certificate files:
$ keytool -import -alias intermediateca -keystore /etc/pki/keystore -trustcacerts -file path-to-certificate/intermediateca.crt
Where intermediateca.crt is the intermediate certificate file.
After importing all the required certificates, now it’s time to configure tomcat Keystore. Go to the tomcat installation folder and find the server.xml file. Update the configuration file with the following contents.
$ vi tomcat-installation-directory/config/server.xml
Example:
$ vi /opt/tomcat/config/server.xml
<Connector port="4443" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="4443"
SSLEnabled="true"
scheme="https"
secure="true"
sslProtocol="TLS"
keystoreFile="/etc/pki/keystore"
keystorePass="_password_" />
Here, port 4443 is being used. You can select any ports depending upon your environment.
Certificates installation has been completed. Restart the tomcat server to reflect the changes with the below commands:
$ path-to-tomcat/bin/shutdown.sh
$ path-to-tomcat/bin/startup.sh
Example,
$ /opt/tomcat/bin/shutdown.sh
$ /opt/tomcat/bin/startup.sh
Now access the tomcat server URL using any browser to verify the certificates:
https://tomcat-server:<Port>
Example,
https://tomcat.linuxapt.com:4443
This article covers how to generate CSR files and install CA signed SSL certificates in Tomcat for Java projects.
The need to create a self-signed certificate ?