How do I install an SSL Certificate into Tomcat?

Problem

How do I install an SSL Certificate into Tomcat?

Resolution

In order to complete this Installation, you will need to obtain the root and intermediate files. You can use the KB article found at https://support.quovadisglobal.com/KB/a436/quovadis-ssl-general-intermediate-and-root-certificates.aspx to determine what you need.

Part I - Complete the Java KeyStore File

Once you have obtained all the files that you will need during this process, you are ready to install them into the Java KeyStore file that you created initially along with the CSR.

Important Note: Part I will provide the commands needed to install the Intermediate, Root and SSL certificate into your Java KeyStore.  You may notice that particular sections of these commands are in bold.  These bold parts are relative and will need to be changed by you in order to reflect your situation and Java KeyStore file.
  1. Open up the command line that has access to the Java Keytool.  You must run the following command in order to install the Root Certificate into the Java KeyStore file:

  2. keytool -import -trustcacerts -alias root -file <root_certificate_file>.crt -keystore keystore.jks

    Note: Please remember to change the name of the "keystore.jks" to the name of the *.jks file that you created the private key in.

  3. When prompted for the keystore password, enter in the password that was set.

  4. The command will verify the Root Certificate and want you to accept its trust.  Type in y or yes when prompted.

  5. Next, you will need to import the Intermediate Certificate into the Java KeyStore file.  This can be done by entering in the following command:

  6. keytool -import -trustcacerts -alias intermediate -file <intermediate_certificate_file>.crt -keystore keystore.jks

    Note: Please remember to change the name of the "keystore.jks" to the name of the *.jks file that you created the private key in.

  7. When prompted for the keystore password, enter in the password that was set.

  8. The command will verify the Intermediate Certificate and want you to accept its trust.  Type in y or yes when prompted.

  9. Next, you will need to import your SSL Certificate into the Java KeyStore file.  This can be done by entering in the following command:

  10. keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore keystore.jks

    Note: Please remember to change the name of the "tomcat" alias to the alias that you specified during the CSR generation.  If you used the QuoVadis Java Keytool Command Tool, this should be "server".  You must also change "keystore" to the name of the *.jks file that you created the private key in.

  11. When prompted for the keystore password, enter in the password that was set.

  12. The command will verify your SSL Certificate and want you to accept its trust.  Type in y or yes when prompted.

Part II - Assigning the new Java KeyStore File to Tomcat

Once you have completely created your Java KeyStore file, you must now assign it to the Tomcat settings to that Tomcat will use the new SSL certificate.  In order to change these settings, you will have to open and edit your server.xml file.

Note: You will have to plan ahead of time for this step as it requires a restart of Tomcat.
  1. Open the Tomcat server.xml file with a simple text editor (such as notepad on Windows).

    Note: This can generally be found in the Home_Directory/conf/server.xml.
You must configure the SSL Connector part in the server.xml file.  If this is your first time configuring Tomcat, then please follow Step 2 and Step 3.  Otherwise, you may skip to Step 4.

If this is your first time configuring Tomcat, then you will first need to uncomment the SSL Connector Configuration.  You may uncomment a section by removing the <!-- and --> around the section that you want to uncomment.
  1. You must also locate the port= part in the SSL Connector part and change it to 443.

  2. The first time you look at the server.xml file, you will notice that you will be missing the keystoreFile="${user.home}/.keystore" keystorePass="changeit" lines that you require.  For the first time installation of an SSL certificate into Tomcat, you will have to manually enter this section in.  Below is an example of how it should look:

  3. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />


  4. Edit the keystoreFile= part to match the path and filename of the Java KeyStore file.  The ${user.home} part should be changed to represent the base directory for the Tomcat instance.

  5. Edit the keystorePass= part to match the password that was set for the Java KeyStore file.

  6. When you have completed all of the steps, the SSL connector part in your server.xml file should look similar to this:

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="conf/your_keystore.jks" keystorePass="your_password"
    clientAuth="false" sslProtocol="TLS" />


    Note: The parts in bold represent what should be changed from an fresh installation.

  7. Save the changes you have made to the server.xml file.

  8. In order to complete the process, you must restart Tomcat.  Depending on which Operating System that Tomcat is installed on, this could be as Windows Service or an option that you must select to restart Tomcat.

  9. You should verify through Firefox and Internet Explorer that the new certificate is visible and has been installed correctly.

Add Feedback