Enabling https (SSL) in Tomcat

For enabling ssl in tomcat you need to buy signed certificate/s from a Certificate Authority (some hosting companies also sell SSL certificates). The work doesn't end with that. After buying a certificate you have to create a certificate request, which your CA will sign and authorize.

Below are the steps i followed to enable SSL in tomcat.

Note: Remember to replace the full path of the filename. Usually i create these files a new subdirectory.

Creating Certificate Request

$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.key

The above command generates a key store file (tomcat.key) with RSA algorithm and aliased as tomcat. A keystore is nothing but a file which has your key and the CA's signature. The above command gets all the following information from you, so please keep them handy
Keystore password: <any thing you want>
First & Last Name: <your name/any authorized person's name>
Organizational Unit: <Dept in your company>
Organization Name: <Your company name>
Your City:
State:
Country Code: <eg: US>

Following command actually creates the csr
$ keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore tomcat.key

Depending on whom you bought the certificate from, you may have to copy the contents of the certreq.csr from your CA's site or your CA will send it as email attachment.

Keys from CA:

You will get the keys (issued) from CA. You may also have to download two more key's (root &amp; intermediate) from your CA's website. First add root cert, then add intermediate followed by your site's certificate. Below are the steps:

First import root cert.
$ keytool -import -alias root -keystore tomcat.key -trustcacerts -file <root.crt>

Then the intermediate cert
$ keytool -import -alias intermed -keystore tomcat.key -trustcacerts -file <intermediate.crt>

Finally your site's cert
$ keytool -import -alias tomcat -keystore tomcat.key -trustcacerts -file <yourdomain.com.crt>

yourdomain.com.crt is the cert file issued by CA for your domain.

How to list the imported Certificates?

$ keytool -list -keystore tomcat.key

The above keystore file is now ready. Let us know configure tomcat to use this key file.

If you have already installed tomcat, edit the server.xml of the tomcat instance you want to turn on https. Search for the below lines:

<Connector port="8443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

The above lines are commented by default. Remove the comment signs <!-- before and  --> after them.

Add the below line anywhere in between them:
keystoreFile="/path/to/keystore/tomcat.key" keystorePass="changeit"

Restart the tomcat service. We are done.

Now you must be able to browse https://localhost:8443 from the same machine where tomcat is installed. You can view the certificate and cross check it.

Blogged with the Flock Browser