Install an SSL certificate on a Tomcat server (Linux) - Certificate Management Service

Install a Java KeyStore (JKS) or PFX/PKCS#12 format SSL certificate on a Tomcat server running Linux to enable HTTPS. This guide covers downloading the certificate, configuring Tomcat's server.xml, opening port 443, and verifying the deployment.

Usage notes

Before you begin, make sure that you meet the following requirements:

Certificate status: You have an SSL certificate issued by a trusted certificate authority. If the certificate is about to expire or has expired, you must first renew the SSL certificate.
Domain name matching: Make sure that the certificate matches all domain names that you want to secure. To add or modify domain names, you can Purchase a commercial certificate or Append and replace domain names.
- Exact-match domain name: Applies only to the specified domain.
  - example.com protects only example.com.
  - www.example.com protects only www.example.com.
- Wildcard domain name: Applies only to its first-level subdomains.
  - *.example.com applies to first-level subdomains such as www.example.com and a.example.com.
  - *.example.com does not protect the root domain example.com or multi-level subdomains such as a.b.example.com.
Note
To match multi-level subdomains, the Bound Domains field must contain the exact domain, such as a.b.example.com, or a corresponding wildcard domain, such as *.b.example.com.
Server permissions: You need a root account or an account with sudo privileges.
Domain name resolution: The domain's DNS record is configured and resolves to the server's public IP address.

Quick start

The installation process has four steps:

Download the certificate package from the Certificate Management Service console and upload the files to your server.
Open port 443 in your security group and firewall.
Edit server.xml to add the SSL connector, then restart Tomcat.
Visit https://yourdomain in a browser and confirm the lock icon appears.

Prerequisites

Before you begin, make sure that you have:

An SSL certificate issued by a trusted certificate authority (CA). If the certificate is about to expire or has already expired, renew it first.
A certificate that matches all domain names you want to secure: To add or modify domain names, purchase a commercial certificate or append and replace domain names.
- Exact-match domain name: Applies only to the specified domain. For example, example.com protects only example.com, and www.example.com protects only www.example.com.
- Wildcard domain name: Applies to first-level subdomains only. For example, *.example.com covers www.example.com and a.example.com, but does not cover the root domain example.com or multi-level subdomains such as a.b.example.com.
To secure a multi-level subdomain, the Bound Domains field must contain either the exact subdomain (for example, a.b.example.com) or a matching wildcard domain (for example, *.b.example.com).
A root account or an account with sudo privileges on the server.
A DNS record for the domain that resolves to the server's public IP address.

Step 1: Prepare the certificate files

Go to the SSL Certificates page. In the Actions column of the target certificate, click Download Certificate. On the Download tab, select Tomcat as the Server Type and download the package.
Extract the downloaded package. It contains a certificate file (.pfx or .jks) and a password file (.txt).
Choose the certificate format that fits your environment: - JKS (Java KeyStore): A Java-specific keystore format. Choose JKS if your tools and scripts already support it. - PFX/PKCS#12: A universal format supported by Java and other platforms. Choose PFX to integrate across different technology stacks or with non-Java systems.
Upload the certificate file (.pfx or .jks) and the password file (.txt) to the server. Store them in a secure directory, such as /etc/ssl/cert/. Use the file upload feature of a remote login tool such as PuTTY, Xshell, or WinSCP to transfer the files. If you are using an Alibaba Cloud Elastic Compute Service (ECS) instance, see Upload or download files for instructions.
Important
After uploading, restrict access to the certificate files. Allow only the Tomcat user to read them:
```
sudo chown tomcat:tomcat /etc/ssl/cert/domain_name.* sudo chmod 400 /etc/ssl/cert/domain_name.*
```

Step 2: Open port 443

Tomcat needs port 443 open at two levels: the cloud security group and the OS firewall.

Open port 443 in the security group

If your server runs on Alibaba Cloud ECS, add an inbound rule to allow TCP port 443:

Go to Elastic Compute Service (ECS) instances and click the target instance name.
In the Security Group Details section, add a security group rule with the following settings and save: For other cloud platforms, refer to their documentation.
Field Value
Action Allow
Protocol Custom TCP
Destination (Current Instance) HTTPS (443)
Source 0.0.0.0/0 (anywhere)

Field	Value
Action	Allow
Protocol	Custom TCP
Destination (Current Instance)	HTTPS (443)
Source	0.0.0.0/0 (anywhere)

Open port 443 in the OS firewall

First, check whether port 443 is already reachable. Run the following command for your Linux distribution:

RHEL/CentOS

command -v nc > /dev/null 2>&1 || sudo yum install -y nc
# Replace <your_server_public_ip> with your server's public IP address.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

If the output contains Ncat: Connected to <your_server_public_ip>:443, port 443 is open and no further action is needed.

Debian/Ubuntu

command -v nc > /dev/null 2>&1 || sudo apt-get install -y netcat
# Replace <your_server_public_ip> with your server's public IP address.
sudo ss -tlnp | grep -q ':443 ' || sudo nc -l -p 443 & sleep 1; nc -w 3 -vz <your_server_public_ip> 443

If the output contains Connection to <your_server_public_ip> port [tcp/https] succeeded! or [<your_server_public_ip>] 443 (https) open, port 443 is open and no further action is needed.

If port 443 is not open, identify the active firewall and open the port:

if command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet firewalld; then
    echo "firewalld"
elif command -v ufw >/dev/null 2>&1 && sudo ufw status | grep -qw active; then
    echo "ufw"
elif command -v nft >/dev/null 2>&1 && sudo nft list ruleset 2>/dev/null | grep -q 'table'; then
    echo "nftables"
elif command -v systemctl >/dev/null 2>&1 && systemctl is-active --quiet iptables; then
    echo "iptables"
elif command -v iptables >/dev/null 2>&1 && sudo iptables -L 2>/dev/null | grep -qE 'REJECT|DROP|ACCEPT'; then
    echo "iptables"
else
    echo "none"
fi

If the output is none, no firewall is active. Otherwise, run the command for your firewall:

firewalld

sudo firewall-cmd --permanent --add-port=443/tcp && sudo firewall-cmd --reload

ufw

sudo ufw allow 443/tcp

nftables

sudo nft add table inet filter 2>/dev/null
sudo nft add chain inet filter input '{ type filter hook input priority 0; }' 2>/dev/null
sudo nft add rule inet filter input tcp dport 443 counter accept 2>/dev/null

iptables

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

To persist iptables rules across reboots:

RHEL/CentOS:

sudo yum install -y iptables-services
sudo service iptables save

Debian/Ubuntu:

sudo apt-get install -y iptables-persistent
sudo iptables-save | sudo tee /etc/iptables/rules.v4 >/dev/null

Step 3: Configure Tomcat

The configuration syntax differs slightly between Tomcat versions. Follow the section that matches your version.

Tomcat 9

From the Tomcat root directory, open server.xml:
```
sudo vim ./conf/server.xml
```

Configure the HTTP redirect connector. Update the existing HTTP connector to redirect traffic to port 443:

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443"
           maxParameterCount="1000"
           />

Add the SSL connector. Choose the block that matches your certificate format:

PFX format

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150"
           SSLEnabled="true"
           maxParameterCount="1000"
           >
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/etc/ssl/cert/domain_name.pfx"
                     certificateKeystorePassword="<password-from-pfx-password.txt>"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

JKS format

<Connector port="443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150"
           SSLEnabled="true"
           maxParameterCount="1000"
           >
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/etc/ssl/cert/domain_name.jks"
                     certificateKeystorePassword="<password-from-jks-password.txt>"
                     type="RSA" />
    </SSLHostConfig>
</Connector>

Replace the certificateKeystoreFile path with the actual path to your certificate file, and replace the certificateKeystorePassword value with the content of the corresponding password file.

Update the AJP connector's `redirectPort` to 443:

<Connector protocol="AJP/1.3"
           address="::1"
           port="8009"
           redirectPort="443"
           maxParameterCount="1000"
           />

Tomcat 8.5

Tomcat 8.5 requires you to manually specify the JSSE implementation. The connector syntax is the same as Tomcat 9 above. Add the SSL connector using either the PFX or JKS block from the Tomcat 9 section.

Tomcat 7

Tomcat 7 uses inline SSL attributes on the Connector element rather than nested SSLHostConfig.

PFX format

<Connector port="443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           scheme="https"
           secure="true"
           keystoreFile="/etc/ssl/cert/domain_name.pfx"
           keystoreType="PKCS12"
           keystorePass="<password-from-pfx-password.txt>"
           clientAuth="false"
           SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
           ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>

JKS format

<Connector port="443"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectport="8443"
           maxParameterCount="1000"
           SSLEnabled="true"
           scheme="https"
           secure="true"
           keystoreFile="/etc/ssl/cert/domain_name.jks"
           keystoreType="JKS"
           keystorePass="<password-from-jks-password.txt>"
           clientAuth="false"
           SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
           ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>

(Optional) Force HTTP to HTTPS redirection

To redirect all HTTP requests to HTTPS automatically, add the following block at the bottom of conf/web.xml, just before the closing </web-app> tag:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SSL</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Validate and restart Tomcat

Validate the configuration. From the Tomcat bin directory, run:
```
./configtest.sh
```
If the output is Configuration file test successful, the configuration is valid. If errors appear, correct the configuration based on the error messages and re-run the validation.
Restart Tomcat to apply the changes:
```
sudo ./shutdown.sh
sudo ./startup.sh
```

Step 4: Verify the deployment

Open a browser and navigate to https://yourdomain (replace yourdomain with your actual domain).

A lock icon in the address bar confirms that the certificate is installed correctly.

Starting from version 117, Chrome replaced the icon with a new icon. Click this icon to view the certificate details.

If the lock icon does not appear or you see access errors, clear the browser cache or try again in incognito mode. See the FAQ section if the issue persists.

Going live

When deploying to production, apply the following practices:

Run Tomcat as a non-root user. Create a dedicated low-privilege system account for Tomcat and never run it as root.
Consider terminating SSL at the gateway layer instead — deploy the certificate on a Server Load Balancer (SLB) or a reverse proxy such as Nginx. The gateway handles HTTPS termination and forwards plain HTTP to the backend, which simplifies certificate management across multiple servers.
Keep credentials out of configuration files. Use environment variables, a secrets manager, or a cloud key management service to inject the keystore password at runtime rather than hardcoding it in server.xml.
Enforce HTTP to HTTPS redirection. Redirect all HTTP traffic to HTTPS to prevent man-in-the-middle attacks (see the optional step in Step 3).
Disable legacy TLS protocols. Disable SSLv3, TLS 1.0, and TLS 1.1 in your Tomcat configuration. Enable only TLS 1.2 and TLS 1.3.
Monitor certificate expiration. After deployment, enable domain monitoring in Certificate Management Service. Alibaba Cloud checks certificate validity and sends renewal reminders before expiration. For instructions, see Purchase and enable public domain name monitoring.

FAQ

HTTPS is inaccessible after installation or certificate update

Check the following in order:

Port 443 blocked. Verify that both the security group and the OS firewall allow inbound TCP traffic on port 443. See Step 2.
Domain mismatch. Confirm the domain you are accessing is listed in the certificate's Bound Domains field. See the Prerequisites section for domain-matching rules.
Tomcat not restarted. The new configuration takes effect only after Tomcat restarts. See the validate and restart steps in Step 3.
Incorrect certificate path or file. Check that certificateKeystoreFile (or keystoreFile) in server.xml points to the correct, up-to-date certificate file.
Certificate missing on upstream services. If your domain passes through a Content Delivery Network (CDN), Server Load Balancer (SLB), or Web Application Firewall (WAF), the certificate must be installed on those services as well. See Certificate deployment locations when traffic passes through multiple Alibaba Cloud services.
Incomplete multi-server deployment. If the domain's DNS resolves to multiple servers, install the certificate on all of them.

For deeper troubleshooting, see Resolve certificate deployment issues based on browser error messages and the SSL certificate deployment troubleshooting guide.

Tomcat fails to start, and the log shows the "Keystore was tampered with, or password was incorrect" error

This almost always means the password in server.xml doesn't match the keystore file. To fix it:

Open the password file (.txt) from the certificate package and copy its contents exactly, with no trailing spaces or newlines.
Update the certificateKeystorePassword (or keystorePass) attribute in server.xml with that value.
Confirm that certificateKeystoreFile (or keystoreFile) points to the correct file path.
Confirm that the Tomcat user has read permission on the certificate file.

Connection was reset / Connection refused when accessing the server

This is a network connectivity issue, not a certificate problem. Check the following:

Confirm that both the security group and the OS firewall allow inbound traffic on port 443 (or whichever port is configured in server.xml). See Step 2.
Verify that Tomcat is running: ps -ef | grep tomcat
Confirm that the port attribute in the server.xml SSL connector matches the port you are accessing.

How to update or replace an SSL certificate in Tomcat

Back up the existing files. Save copies of the current certificate file (.pfx or .jks) and the password file (.txt) from the server.
Download the new certificate. Get the new certificate package from the Certificate Management Service console.
Replace the files. Upload the new certificate and password files to the same path on the server, overwriting the old ones. The file path and name must match exactly what is configured in server.xml.
Restart Tomcat. Run sudo ./shutdown.sh and sudo ./startup.sh from the Tomcat bin directory to apply the new certificate.