All Products
Search

This Product

    :Install SSL certificates in Tomcat servers

    Document Center

    :Install SSL certificates in Tomcat servers

    Last Updated:Mar 30, 2021

    Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

    Overview

    This topic describes how to install a downloaded certificate in Tomcat.

    Detail 

    You can download a SSL Certificates Service and install it in your Tomcat server. This topic describes how to install an SSL certificate.

    Notes:

    • Make sure that Port 8443 is enabled on your Tomcat server, which is the default port for the HTTPS service.
    • If a domain name has multiple servers, each server has to be deployed.

    Download a certificate

    1. Log on to the SSL console and confirm that the status of your certificate is issued.
    2. Download SSL Certificates Service. For more information, see download certificates.

    Install SSL Certificates Service on a Tomcat server

    Before installing the certificate, you must obtain the certificate file and password file. Select the steps based on the generation method you used when applying for the certificate:

    • If automatic CSR generation is used when you apply for the certificate, see automatic CSR creation.
    • If you use your own CSR generation method to apply for the certificate, see create CSR.

    CSR generated by system

    1. Decompress the downloaded certificate file. Verify that the Tomcat folder exists.
    2. Obtain the PFX certificate file and Tomcat password file from the pfx_password.txt folder.
      Note: each download generates a new password, which is valid only for the current certificate. To update the certificate file, you need to update the password. If you did not select automatic CSR when applying for the certificate, the CSR file is not available. Download the CRT file from another server and use the openssl command to generate the PFX certificate yourself. For more information, see create a CSR.

    Create your own CSR

    1. Decompress the downloaded Certificate Package to obtain the server.pem file.
      (: server.pem file including two -BEGIN CERTIFICATE- and -END CERTIFICATE- code respectively server CERTIFICATE and intermediate CA CERTIFICATE.
    2. Use OpenSSL tool to convert from pem to PFX, and get server.pfx file:
      1. The pem file and the private key generated for CSR generation server key file are saved in the bin Directory of the OpenSSL tool installation directory.
      2. In the bin directory of the OpenSSL installation directory, run the following command to convert the pem certificate to the PFX certificate. 
        openssl pkcs12 -export -out server.pfx -inkey server.key -in server.pem
      3. At this time, the system requires you to Enter the PFX certificate password, the password is the user-defined password, please set the password according to your needs, then press Enter.
        Notes:
        • Please keep your PFX certificate password carefully. Subsequent JKS password must be the same as the PFX password. Otherwise Tomcat may fail to start.
        • To improve password security, we recommend that you set a password by referring to the following complexity requirements:
          • The password must be 8 to 32 characters in length.
          • The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, spaces, and special characters.
      4. Enter the password of the PFX certificate again as prompted, and then press Enter.
        Note: if no error message is displayed, the OpenSSL server.pfx” file is generated in the OpenSSL installation directory.
    3. Use Keytool to convert the. PFX certificate file to a. JKS file. A. server.jks file is obtained.
      1. Copy the server.pfx file generated in step 2 of this section to the https://java_home}/jdk/bin directory.
      2. In the https://java_home#/jdk/bin Directory, execute the following command and then press Enter. 
        keytool -importkeystore -srckeystore server.pfx -destkeystore server.jks -srcstoretype PKCS12 -deststoretype JKS
      3. Enter the password of the JKS certificate as prompted, and then press Enter.
        Note: please set the JKS password to the same password as the PFX certificate password, otherwise it may cause Tomcat to fail to start.
      4. Enter the password of the JKS certificate again as prompted, and then press Enter.
      5. Enter the PFX certificate password set in step 2 of this section as prompted, and then press Enter. If the system returns a message similar to the following, the conversion is successful, and the server.jks file has been generated in the OpenSSL tool installation directory. 
        Entry for alias 1 successfully imported.
        Import Command completed: 1 entries imported successfully, 0 failed or canceled
      6. In % JAVA_HOME%/jdk/bin directory and a new one will be created with the keystorepass.txt file, the password for the JKS password is saved in the file.
    4. In the Tomcat installation directory to create cert directory and server. The password for the jks file and keystorePass.txt password file to cert directory.

    Modify the configuration file

    For more information about how to modify the configuration file, see Tomcat 7 and Tomcat 8.5/9:

    Tomcat 7

    1. Locate the following contents in the server.xml file of the Tomcat installation directory.
       
      <! --
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->
    2. Delete <! -And -> comment symbol after , add the following 2 variable parameters, see References of parameters an, modify the keystore file and keystorePass the value of The.
    3. Locate the following contents in the server.xml file of the Tomcat installation directory. 
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
    4. Set the Host Name variable to the domain Name bound to the certificate. This example uses www.domain.com. 
      <Host name="www.domain.com"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
    5. Save the server.xml configuration file.

    Tomcat 8.5/9

    1. Locate the following contents in the server.xml file of the Tomcat installation directory. 
      <! --
      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                 maxThreads="150" SSLEnabled="true">
          <SSLHostConfig>
              <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                           type="RSA" />
          </SSLHostConfig>
      </Connector>
      -->
    2. Delete <! -And -> comment characters, see References of Parameter 2 to modify the parameter value of the certificateKeystoreFile. Add certificateKeystorePassword parameter. The configuration content is as follows: 
      <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                 maxThreads="150" SSLEnabled="true">
          <SSLHostConfig>
              <Certificate certificateKeystoreFile="xxxx"
             certificateKeystorePassword="xxxx"
                           type="RSA" />
          </SSLHostConfig>
      </Connector>
    3. Locate the following contents in the server.xml file of the Tomcat installation directory. 
      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">
    4. Set the Host Name variable to the domain Name bound to the certificate. This example uses www.domain.com. 
      <Host name="www.domain.com"  appBase="webapps"
          unpackWARs="true" autoDeploy="true">
    5. Save the server.xml configuration file.

    Restart the Tomcat service

    1. Enter the bin directory of Tomcat.
    2. Run the following command to stop the Tomcat service: 
      ./shutdown.sh
    3. Wait about 10 seconds and run the following command to start the Tomcat service: 
      ./startup.sh
      Note: If the daemon process is automatically started, you do not need to start it manually.

    Verify the result

    Enter the browser and access your site address. Confirm that the lock icon is displayed on the left side of the browser address bar, as shown in the following figure, indicating that your certificate has been installed successfully.

    References

    Parameter description 1

    Parameter Parameters for running the Spark Structured Streaming program

    port

    Specify the port number to be used by the server. We recommend that you set the value to % 443 ".

    protocol

    Set the HTTP protocol by using the default value.

    keystoreFile

    The path where the server.jks file is stored, which can be an absolute path or a relative path. Example: cert/server.jks

    keystorePass

    The password for server.jks. Enter the password in the keystorePass.txt file.

    clientAuth

    Specifies whether to require all SSL clients to verify identity of the clients by using the default value.

    Parameter 2

    Parameter Parameters for running the Spark Structured Streaming program

    port

    Specify the port number to be used by the server. We recommend that you set the value to % 443 ".

    protocol

    Set the Http protocol by using the default value.

    certificateKeystoreFile

    The path where the server.jks file is stored, which can be an absolute path or a relative path. Example: cert/server.jks

    certificateKeystorePassword

    The password for server.jks. Enter the password in the keystorePass.txt file.

    Application scope

    • SSL Certificates Service