Alibaba Cloud Certificate Management Service allows you to download and install a certificate on a Tomcat server. Tomcat servers support two types of certificates: PFX certificates and JKS certificates. You can download a PFX certificate or a JKS certificate based on the version of your Tomcat server. This topic describes how to download and install a JKS certificate on a Tomcat server.

Background information

If you have certificates that are not in the JKS format, you can use the OpenSSL tool to convert your certificates to the JKS format. For more information about how to convert formats of certificates, see How do I convert the format of a certificate?


  • You are logged on to your Tomcat server. Your Tomcat server meet the following requirements:
    • Port 443 is enabled. Port 443 is the default port for HTTPS services.
    • The OpenSSL tool is installed. If the OpenSSL tool is not installed, you can visit the OpenSSL official website to download and install the OpenSSL tool.
  • A JKS certificate is downloaded from the Certificate Management Service console. For more information, see Download a certificate to your computer.


This topic provides an example on how to install a JKS certificate on a Tomcat 7 server that runs a Linux operating system.

  1. Decompress the downloaded certificate package.
    The following files are obtained:
    • Certificate file :domain_name.jks.
      Note In this example, the certificate name is domain_name.
    • Password file :jks-password.txt.
    • If you do not set CSR Generation to Automatic when you apply for a certificate, the certificate package that you download does not include the TXT password file. In this case, you must download a CRT certificate for servers of the Other type and then use the OpenSSL tool to convert the certificate files to the JKS format.
    • A new password file is generated each time you download a certificate. The password file is valid only for the downloaded certificate. If you want to update a certificate, you must also update the password.
  2. Create the cert directory in the installation directory of Tomcat and copy the JKS certificate file and password file to the cert directory.
  3. Perform the following steps to modify the configuration file server.xml.
    1. Access Tomcat installation directory/conf/server.xml and open the server.xml file.
    2. Remove the comments that are preceded by the number sign (#) from the following content in the server.xml file.
      <Connector  port="8443"
        port="8443" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS" />
    3. Modify the server.xml file based on the following descriptions:
      <Connector port="443"   # Change the port based on your business requirements. Port 443 is the default port for HTTPS services. If you use a different port, you must access your website by using https://yourdomain:port. 
          keystoreFile="Tomcat installation directory/cert/domain_name.jks" # Add the absolute path of the certificate before the certificate name. Replace domain_name with the name of your certificate file. 
          keystorePass="Certificate password"   # Enter the content in the jks-password.txt file. 
    4. Save the server.xml file.
  4. Optional:Configure the web.xml file to redirect HTTP requests to HTTPS requests.
    Append the following content to the </welcome-file-list> file:
        <!-- Authorization setting for SSL -->  
        <realm-name>Client Cert Users-only Area</realm-name>  
        <!-- Authorization setting for SSL -->  
        <web-resource-collection >  
            <web-resource-name>Project name</web-resource-name> # Replace Project name with the name of your project. 
  5. Restart your Tomcat server.
    1. Run the following command to stop your Tomcat server:
    2. Run the following command to start your Tomcat server:

What to do next

After you complete the preceding operations, you can access the domain name that is bound to the certificate to check whether the certificate is installed.
https://domain name   # Replace domain name with the domain name that is bound to the certificate. 
  • If a lock icon appears in the address bar, the certificate is installed.
  • If your website cannot be accessed over HTTPS, check whether port 443 is enabled for the server on which the certificate is installed.