You can download and install an issued certificate on a Tomcat server. Tomcat servers support two types of certificates: PFX certificates and JKS certificates. You can download a PFX certificate or a JKS certificate based on your Tomcat version. This topic describes how to download and install a PFX certificate on a Tomcat server.

Prerequisites

  • You are logged on to your Tomcat server.
  • Port 443 is enabled for your Tomcat server. Port 443 is the default port for HTTPS services.
  • The OpenSSL tool is installed. You can visit the OpenSSL official website to download and install the OpenSSL tool.
  • The certificate that you want to install on your Tomcat server is downloaded to your computer. For more information about how to download a certificate, see Download a certificate to your computer.
    Notice
    • If you do not set CSR Generation to Automatic when you apply for a certificate, the certificate package that you download does not include the TXT password file. In this case, you must download a CRT certificate for servers of the Other type and then use the OpenSSL tool to convert the certificate to the PFX format.
    • If you have certificates that are not in the PFX format, you can use the OpenSSL tool to convert your certificates to the PFX format.

Background information

This topic provides an example on how to install a PFX certificate on a Tomcat 7 server that runs a Linux operating system.

Procedure

  1. Decompress the downloaded certificate package.
    The following files are obtained:
    • Certificate file: domain name.pfx.
      Note In this example, the certificate name is domain name.
    • Password file: pfx-password.txt.
    Certificate file
    Note A new password is generated each time you download a certificate. The password is valid only for the downloaded certificate. If you want to update a certificate, you must also update the password.
  2. Create the cert directory in the installation directory of Tomcat and copy the certificate file and password file that you obtained to the cert directory.
    Note The installation directory varies based on the environment of your server. You can run the sudo find / -name *tomcat* command to query the installation directory.
  3. Modify and save the configuration file server.xml. The configuration file is stored in Tomcat installation directory/conf/server.xml.
    You can use one of the following methods to specify SSL implementation:
    Notice If you use Method 1 and modify the configuration of an SSL connector, the Tomcat server automatically selects SSL implementation. If you use Method 1 but cannot complete the subsequent configuration, the environment of your server may not support automatic selection of SSL implementation. In this case, you can use Method 2 to manually specify SSL implementation based on your environment.
    • Method 1: The Tomcat server automatically selects SSL implementation.

      Modify the attributes of an SSL connector based on the following code:

      <Connector port="443"   # Change the port based on your business requirements. Port 443 is the default port for HTTPS services. If you use a different port, you must access your website by using https://domain name:port. 
          protocol="HTTP/1.1"
          SSLEnabled="true"
          scheme="https"
          secure="true"
          keystoreFile="Tomcat installation directory/cert/domain name.pfx" # Add the absolute path of the certificate before the certificate name. Replace domain name with the name of your certificate file. 
          keystoreType="PKCS12"
          keystorePass="Certificate password"  # Enter the content in the pfx-password.txt file. 
          clientAuth="false"
          SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
          ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
    • Method 2: Manually specify SSL implementation.
      Remove the comments of the following code in the server.xml file and specify JSSE-based SSL implementation:
      <Connector
                 protocol="org.apache.coyote.http11.Http11NioProtocol"
                 port="443" maxThreads="200"
                 scheme="https" secure="true" SSLEnabled="true"
                 keystoreFile="Tomcat installation directory/cert/domain name.pfx" keystorePass="Certificate password"
                 clientAuth="false" sslProtocol="TLS"/>
  4. Optional:Configure the web.xml file to redirect HTTP requests to HTTPS requests.
    Append the following content to the </welcome-file-list> file:
    <login-config>  
        <!-- Authorization setting for SSL -->  
        <auth-method>CLIENT-CERT</auth-method>  
        <realm-name>Client Cert Users-only Area</realm-name>  
    </login-config>  
    <security-constraint>  
        <!-- Authorization setting for SSL -->  
        <web-resource-collection >  
            <web-resource-name>Project name</web-resource-name> # Replace Project name with the name of your project. 
            <url-pattern>/*</url-pattern>  
        </web-resource-collection>  
        <user-data-constraint>  
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
        </user-data-constraint>  
    </security-constraint>
  5. Restart your Tomcat server.
    1. Run the following command to stop your Tomcat server:
      ./shutdown.sh
    2. Run the following command to start your Tomcat server:
      ./startup.sh

What to do next

After you complete the preceding operations, you can access the domain name that is bound to the certificate to check whether the certificate is installed.
https://domain name   # Replace domain name with the domain name that is bound to the certificate. 
  • If a lock icon appears in the address bar, the certificate is installed.
  • If your website cannot be accessed over HTTPS, check whether port 443 is enabled for the server on which the certificate is installed.