This topic describes how to install an SSL certificate on a Tomcat 8.5 or Tomcat 9.0 server that runs CentOS.

Prerequisites

  • A Tomcat server certificate is downloaded from the SSL Certificates Service console. The certificate package includes a certificate file in the PFX format and a password file in the TXT format. For more information about how to download a certificate, see Download a certificate to your computer.
  • A DNS record is added for the domain name that is bound to your SSL certificate when you apply for this certificate. The domain name is resolved to the IP address of your Tomcat server.

    After the DNS record is added, you can run the ping <yourdomainName> command to check whether the DNS resolution is successful. If the IP address of your Tomcat server is returned, the resolution is successful.

    DNS resolution

Environment preparation

  • Operating system: 64-bit CentOS 7.6
  • Web server: Tomcat 8.5 or Tomcat 9.0
Note Make sure that the Java Development Kit (JDK) is installed and environment variables are configured on the Tomcat server. You can view the recommended JDK-compatible configurations on the Tomcat official website.

Procedure

  1. Decompress the certificate package that you download.
    Note A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate. You must update the password when you update the certificate file.
  2. Copy the extracted certificate and password files to the conf directory of your Tomcat server.
    Note To install a JKS certificate, run the following command to convert the format of the certificate from PFX to JKS:
    keytool -importkeystore -srckeystore domain name.pfx -destkeystore domain name.jks -srcstoretype PKCS12 -deststoretype JKS
  3. Open the Tomcat/conf/server.xml directory, and find and modify the following parameters in the server.xml file:
    <Connector port="8080" protocol="HTTP/1.1"
                   connectionTimeout="20000"
                   redirectPort="8443" />
    
     # Find the preceding parameters, remove the <!- - and - -> comment symbols, and then modify the parameters based on the following comments to change the default HTTPS port to a different port:
     <Connector port="80" protocol="HTTP/1.1"   #Change the value of Connector port to 80. 
                   connectionTimeout="20000"
                   redirectPort="443" />    #Set redirectPort to the default SSL port 443 to redirect HTTPS requests to this port. 
    
    
        <Connector port="8443"
              protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxThreads="150"
              SSLEnabled="true">
            <SSLHostConfig>
                <Certificate       certificateKeystoreFile="cert/keystore.pfx"
                 certificateKeystorePassword="XXXXXXX"
                             certificateKeystoreType="PKCS12" />
    
        # Find the preceding parameters, remove the <!- - and - -> comment symbols, and then modify the parameters based on the following comments:
        <Connector port="443"   # Change the value of Connector port from 8443 to the default Tomcat HTTPS port 443. Port 8443 cannot be accessed by using only a domain name. You must append a port number to the domain name. Port 443 is the default HTTPS port. You can access this port by using only a domain name. 
              protocol="org.apache.coyote.http11.Http11NioProtocol"   #Connector port in the server.xml file has two modes: NIO and APR. In this example, the NIO mode is used. protocol="org.apache.coyote.http11.Http11NioProtocol" indicates the NIO mode. 
              maxThreads="150"
              SSLEnabled="true">
            <SSLHostConfig>
                <Certificate       certificateKeystoreFile="/usr/local/tomcat/cert/Certificate domain name.pfx"   #The certificateKeystoreFile parameter indicates the path of the certificate file. Replace Certificate domain name.pfx with the path and name of your certificate file. Example: certificateKeystoreFile="/usr/local/tomcat/cert/abc.com.pfx".
                 certificateKeystorePassword="Certificate password"   #The certificateKeystorePassword parameter indicates the password for the certificate. Replace Certificate password with the password in the pfx-password.txt file. Example: certificateKeystorePassword="bMNML1Df".
                 certificateKeystoreType="PKCS12" />   #If the certificate is in the PFX format, set certificateKeystoreType to PKCS12. 
            </SSLHostConfig>
        </Connector>
                        
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
    
    # Find the preceding parameters, remove the <!- - and - -> comment symbols, and then modify the parameters based on the following comments:
    <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />  #Change redirectPort to 443 to redirect HTTPS requests to this port. 
  4. Save the server.xml file.
  5. Optional:Append the following content to the web.xml file to redirect HTTP requests to HTTPS requests:
    <security-constraint> 
             <web-resource-collection > 
                  <web-resource-name >SSL</web-resource-name>  
                  <url-pattern>/*</url-pattern> 
           </web-resource-collection> 
           <user-data-constraint> 
                        <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
           </user-data-constraint> 
        </security-constraint>
  6. Run the ./shutdown.sh and ./startup.sh commands to restart your Tomcat service.

What to do next

After your Tomcat service is restarted, you can enter the domain name that is bound to the certificate in the https://<YourDomainName> format in your browser to check whether the certificate is installed. If a lock icon appears in the address bar of your browser, the certificate is installed.