Alibaba Cloud SSL Certificates Service allows you to download and install a certificate on a Tomcat server. Tomcat supports both .pfx and .jks certificates. You can install a .pfx or .jks certificate based on your Tomcat version. This topic describes how to install a .pfx certificate on your Tomcat server.

Prerequisites

  • Port 443, the default port for the HTTPS service, has been enabled on your Tomcat server.
  • The OpenSSL tool has been installed.
  • The certificate files required by the Tomcat server have been downloaded. For more information about how to download the certificate, see Download certificates.
    Note
    • If you do not select Automatic for CSR Generation when applying for the certificate, the downloaded certificate package will not include the .txt file. You must download the .crt certificate whose Server Type is Other, and then run the OpenSSL command to convert the certificate to .pfx format.
    • If you have other certificates, you can run the OpenSSL command to convert your certificate files to the corresponding format and install them on your Tomcat server.
  • You have logged on to your Tomcat server.

Background information

  • This topic uses Tomcat 7 as an example.
  • Tomcat 9 requires that the certificate alias be set to tomcat. You need to run the following keytool command to convert protocol="HTTP/1.1" to protocol="org.apache.coyote.http11.Http11NioProtocol". 
    keytool -changealias -keystore domain name.pfx -alias alias -destalias tomcat
  • In this example, the certificate name is domain name, the certificate file name is domain name.pfx, and the certificate password file is pfx-password.txt.

Procedure

  1. Decompress the downloaded certificate package.
    The following two files are extracted, which you can rename:
    • Certificate file (domain name.pfx): suffixed with .pfx or of .pfx file format.
    • Password file (pfx-password.txt): suffixed with .txt or of .txt file format.
    Certificate file
    Note A new password is generated each time you download the certificate. The password is valid only for the downloaded certificate. If you want to update the certificate, you must also update the password.
  2. Create the cert directory in the Tomcat installation directory, and copy the decompressed certificate and password files to the cert directory.
  3. Modify the server.xml configuration file and save it.
    The file path is Tomcat installation directory/conf/server.xml.
    1. Remove the following <Connector port="8443" tag content: 
      <! --
  <Connector  port="8443"
protocol="HTTP/1.1"
  port="8443" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS" />
-->
    2. Modify the <Connector port="443" tag content as follows: 
      <Connector port="443"
    protocol="HTTP/1.1"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="Tomcat installation directory/cert/domain name.pfx" # Add the absolute path of the certificate before the certificate name.
    keystoreType="PKCS12"
    keystorePass="certificate password"   
    clientAuth="false"
    SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
      Note
      • Modify port as needed. Port 443 is the default port for HTTPS. If you use a different port number, you need to access your website by using https://yourdomain:port.
      • keystoreFile indicates the path of the certificate file. Replace domain name with the name of your certificate file.
      • keystorePass indicates the certificate password. Replace it with the content in the pfx-password.txt file.
  4. Optional: Configure the web.xml file to enable force redirection from HTTP to HTTPS.
    Add the following content to the end of the </welcome-file-list> file: 
    <login-config>  
    <! -- Authorization setting for SSL -->  
    <auth-method>CLIENT-CERT</auth-method>  
    <realm-name>Client Cert Users-only Area</realm-name>  
</login-config>  
<security-constraint>  
    <! -- Authorization setting for SSL -->  
    <web-resource-collection >  
        <web-resource-name >SSL</web-resource-name>  
        <url-pattern>/*</url-pattern>  
    </web-resource-collection>  
    <user-data-constraint>  
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
    </user-data-constraint>  
</security-constraint>
  5. Restart Tomcat.
    1. Run the following command to stop Tomcat: 
      ./shutdown.sh
    2. Run the following command to start Tomcat: 
      ./startup.sh

What to do next

After you complete the preceding operations, you can verify that the certificate is installed by accessing the domain name that is bound to the certificate. 
https://domain name.com   # Replace domain name with the domain name that is bound to your certificate.

If the green lock icon appears in the address bar, the certificate is installed.

If your website cannot be accessed over HTTPS when you perform the preceding verification, check whether port 443 on the server where you installed the certificate is enabled or blocked by other tools.

References

Install .jks SSL certificates

Deploy SSL certificates on Tomcat 8.5 or Tomcat 9.0 running CentOS

Deploy SSL certificate on Ubuntu Apache2

How do I deploy the issued certificate in Apache server

Install an SSL certificate in an NGINX or Tengine server

Install SSL certificates in IIS servers

An SSL certificate is configured by the jetty server