Articles in Root

Share Via Email

How do I install an SSL Certificate into Tomcat?

Problem

How do I install an SSL Certificate into Tomcat?

Solution

In order to complete this Installation, you will need to obtain the root and intermediate files. You can use the KB article found at https://support.quovadisglobal.com/KB/a436/quovadis-ssl-general-intermediate-and-root-certificates.aspx to determine what you need.

Part I - Complete the Java KeyStore File

Once you have obtained all the files that you will need during this process, you are ready to install them into the Java KeyStore file that you created initially along with the CSR.

Important Note: Part I will provide the commands needed to install the Intermediate, Root and SSL certificate into your Java KeyStore.  You may notice that particular sections of these commands are in bold.  These bold parts are relative and will need to be changed by you in order to reflect your situation and Java KeyStore file.

  1. Open up the command line that has access to the Java Keytool.  You must run the following command in order to install the Root Certificate into the Java KeyStore file:

    2. keytool -import -trustcacerts -alias root -file <root_certificate_file>.crt -keystore keystore.jks

    Note:

  2. When prompted for the keystore password, enter in the password that was set.

  3. The command will verify the Root Certificate and want you to accept its trust.  Type in y or yes when prompted.

  4. Next, you will need to import the Intermediate Certificate into the Java KeyStore file.  This can be done by entering in the following command:

    5. keytool -import -trustcacerts -alias intermediate -file <intermediate_certificate_file>.crt -keystore keystore.jks

    Note:

  5. When prompted for the keystore password, enter in the password that was set.

  6. The command will verify the Intermediate Certificate and want you to accept its trust.  Type in y or yes when prompted.

  7. Next, you will need to import your SSL Certificate into the Java KeyStore file.  This can be done by entering in the following command:

    8. keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore keystore.jks

    Note:

  8. When prompted for the keystore password, enter in the password that was set.

  9. The command will verify your SSL Certificate and want you to accept its trust.  Type in y or yes when prompted.

Part II - Assigning the new Java KeyStore File to Tomcat

Once you have completely created your Java KeyStore file, you must now assign it to the Tomcat settings to that Tomcat will use the new SSL certificate.  In order to change these settings, you will have to open and edit your server.xml file.

Note: You will have to plan ahead of time for this step as it requires a restart of Tomcat.

  1. Open the Tomcat server.xml file with a simple text editor (such as notepad on Windows).

    Note: This can generally be found in the Home_Directory/conf/server.xml.

You must configure the SSL Connector part in the server.xml file.  If this is your first time configuring Tomcat, then please follow Step 2 and Step 3.  Otherwise, you may skip to Step 4.

If this is your first time configuring Tomcat, then you will first need to uncomment the SSL Connector Configuration.  You may uncomment a section by removing the <!-- and --> around the section that you want to uncomment.

  1. You must also locate the port= part in the SSL Connector part and change it to 443.

  2. The first time you look at the server.xml file, you will notice that you will be missing the keystoreFile="${user.home}/.keystore" keystorePass="changeit" lines that you require.  For the first time installation of an SSL certificate into Tomcat, you will have to manually enter this section in.  Below is an example of how it should look:

    3. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="${user.home}/.keystore" keystorePass="changeit"
    clientAuth="false" sslProtocol="TLS" />

  3. Edit the keystoreFile= part to match the path and filename of the Java KeyStore file.  The ${user.home} part should be changed to represent the base directory for the Tomcat instance.

  4. Edit the keystorePass= part to match the password that was set for the Java KeyStore file.

    5. server.xml

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="conf/your_keystore.jks" keystorePass="your_password"
    clientAuth="false" sslProtocol="TLS" />

    Note:bold

  5. Save the changes you have made to the server.xml file.

  6. In order to complete the process, you must restart Tomcat.  Depending on which Operating System that Tomcat is installed on, this could be as Windows Service or an option that you must select to restart Tomcat.

  7. You should verify through Firefox and Internet Explorer that the new certificate is visible and has been installed correctly.

Legal


DigiCert is the world’s premier provider of high-assurance digital certificates—providing trusted SSL, private and managed PKI deployments, and device certificates for the emerging IoT market. Since our founding almost fifteen years ago, we’ve been driven by the idea of finding a better way. A better way to provide authentication on the internet. A better way to tailor solutions to our customer’s needs.

© 2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.