All Products
Search
Document Center

Certificate Management Service:Install JKS certificates

Last Updated:Mar 08, 2024

This topic describes how to install a JKS certificate on a Tomcat server, including downloading and uploading a certificate file, configuring related parameters on the Tomcat server, and verifying the installation result. The parameters are related to the certificate file and password file. After the certificate is installed, you can access the Tomcat server over HTTPS, which ensures the security of data transmission.

Important

This topic provides an example on how to install a JKS certificate on a Tomcat 9.0 server that runs a Linux operating system. The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.

Prerequisites

Step 1: Download the certificate

  1. Log on to the Certificate Management Service console.
  2. In the left-side navigation pane, click SSL Certificates.
  3. On the Log on to the Certificate Management Service console. page, find the certificate that you want to manage and click Download in the Actions column.
  4. Find JKS in the Server Type column and click Download in the Actions column.

    image..png

  5. Decompress the downloaded certificate package.

    The following table describes the files that you can extract from the package. The files vary based on the CSR generation method that you use when you submit the certificate application.

    Value of the CSR Generation parameter

    File extracted from the certificate package

    Automatic

    The following files can be extracted:

    • Certificate file in the JKS format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format.

    • Password file in the TXT format: By default, the password file is named in the Certificate format-password format.

      Important

      A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.

    Manual

    • If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.

    • If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the Tomcat server

  1. Upload the extracted certificate file and password file to the conf directory of the Tomcat server.

    Note

    The installation directory of Tomcat varies based on the environment of your server. You can run the sudo find / -name tomcat command to query the installation directory.

    You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service instance, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.

  2. Run the following command in the root installation directory of Tomcat to open the server.xml file:

    vim ./conf/server.xml 
  3. Configure the server.xml file based on the following configuration example:

    Important

    To prevent errors when you start Tomcat, remove the comments when you copy the code.

    • Configuration items

      image..png

    • Configuration example

      <!-- Change the port based on your business requirements. Port 443 is the default port for HTTPS services. If you use a different port, you must access your website by using https://domain_name:port.  
      Set keystoreFile to the path to your certificate. 
      Set keystorePass to the password that is contained in the jks-password.txt file. 
      For more information about other configuration items, visit the Tomcat official website. 
      -->
      <Connector port="443"   
          protocol="HTTP/1.1"
          connectionTimeout="20000"
          redirectport="8443"
          maxParameterCount="1000"
                 
          SSLEnabled="true"
          scheme="https"
          secure="true"
          keystoreFile="conf/domain_name.jks"
          keystoreType="JKS"
          keystorePass="Certificate password"
          clientAuth="false"
      	
          SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"   
          ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>	
  4. Run the following commands in the bin directory of the Tomcat server to restart the Tomcat service:

    • Stop command

      ./shutdown.sh
    • Start command

      ./startup.sh

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

image..png

References

After I deploy a certificate to a website, the certificate does not take effect or the website is reported as insecure when I access the website. What do I do?