How to Implement SSL in Apache Tomcat?

A step-by-step guide to set up SSL/TLS certificate in Tomcat server.

One of the essential tasks for securing Tomcat is to configure SSL certificate, so web application is accessible over HTTPS.

There are many ways to achieve this.

You can terminate SSL at a load balancer
Implement SSL at CDN level
Use web servers like Apache, Nginx, etc. in front and implement SSL there

However, if you are not using any of the above or using this as a front-end or need to deploy SSL directly in Tomcat, then the following will help you.

In this article, we will do as below.

Generate CSR (Certificate signing request)
Import certificate in a keystore file
Enable SSL in Tomcat
Configure TLS protocol
Change Tomcat to listen on 443 port
Test Tomcat for SSL vulnerability

Let’s start…

Preparing for SSL/TLS Certificate

The first step would be to generate a CSR and get that signed by the certificate authority. We will use keytool utility to manage the certificates.

Login to the Tomcat server
Go to the tomcat installation path
Create a folder called ssl
Execute command to create a keystore

keytool -genkey -alias domainname -keyalg RSA -keysize 2048 -keystore filename.jks

There is two variable in above commands which you may want to change.

Alias – better to keep it meaningful so in future you can quickly recognize. I prefer to keep it as a domain name.
Filename – again, it’s good to keep the domain name.

Ex:

[root@geekflare ssl]# keytool -genkey -alias bloggerflare -keyalg RSA -keysize 2048 -keystore bloggerflare.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: bloggerflare.com
What is the name of your organizational unit?
[Unknown]: Blogging
What is the name of your organization?
[Unknown]: Geek Flare
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=bloggerflare.com, OU=Blogging, O=Geek Flare, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes

Enter key password for <bloggerflare>
(RETURN if same as keystore password):

[root@geekflare ssl]#

Pay attention to the first and last name question. This is a bit of misleading I think. It’s not your name but the domain name which you want to secure.

Once you provide all the information, it will create a keystore file on a present working directory.

Next would be to generate a new CSR with the newly created keystore with below command.

keytool -certreq -alias bloggerflare -keyalg RSA -file bloggerflare.csr -keystore bloggerflare.jks

This will create a CSR which you need to send to the certificate authority to get it signed. If you are playing around, then you may consider using a FREE certificate provider else go for a premium one.

I got the certificate signed and will proceed to import into keystore with below command.

Import root certificate is given by the provider

keytool -importcert -alias root -file root -keystore bloggerflare.jks

Import intermediate certificate

keytool -importcert -alias intermediate -file intermediate -keystore bloggerflare.jks

Note: without importing root & intermediate, you won’t be able to import domain certificate into keystore. If you have more than one intermediate, then you got to import them all.

Import domain certificate

keytool -importcert -file bloggerflare.cer -keystore bloggerflare.jks -alias bloggerflare

and, you will get a confirmation that it was installed.

Certificate reply was installed in keystore

Great, so certificate keystore is ready now. Let’s move to the next step.

If you are new to SSL and interested to know more then enroll in this online course – SSL/TLS Operations.

Enable SSL in Tomcat

Assuming you are still logged into Tomcat server, go to conf folder

Take a backup of the server.xml file
Go to <Connector port="8080" protocol="HTTP/1.1" section and add a line

SSLEnabled="true" scheme="https" keystoreFile="ssl/bloggerflare.jks" keystorePass="chandan" clientAuth="false" sslProtocol="TLS"

Don’t forget to change the keystore file name and password with yours
Restart tomcat and you should see Tomcat is accessible over HTTPS

Sweet!

Standard HTTPS Port

Why?

Well, if you look at above screenshot, I am accessing Tomcat over 8080 with https which is not standard and some more reasons.

You don’t want to ask users to use custom port
Browser will give warning as certificate is issued on domain name without the port

So idea is to make Tomcat listen on 443 port so it’s accessible just over https:// without the port number.

To do so, edit server.xml with your favorite editor

Go to <Connector port="8080"
Change port from 8080 to 443
It should look like this

<Connector port="443" protocol="HTTP/1.1"
connectionTimeout="20000"
SSLEnabled="true" scheme="https" keystoreFile="ssl/bloggerflare.jks" keystorePass="chandan" clientAuth="false" sslProtocol="TLS"
redirectPort="8443" />

Restart Tomcat and access your application with https without any port number

Impressive, it’s a success!

SSL/TLS Vulnerability Test

Finally, we will perform a test to ensure it’s not vulnerable to online threats.

There are many online tools which I discussed here, and here I will use SSL Labs.

Go to SSL Labs and enter the URL to begin the test

And it’s GREEN – A rating.

However, its always a good idea to scroll down the report and see if you find any vulnerability and fix it.

So that was all for today.

I hope this helps you to know the procedure of securing Tomcat with SSL/TLS certificate. If you are interested in learning more then I would highly recommend this course.

Chandan Kumar
Contributor
- LinkedIn
Chandan Kumar is a founder of Geekflare. He is a technology enthusiast and entrepreneur who is passionate about helping businesses and individuals around the world.