Install SSL certificates on Tomcat servers - Certificate Management Service

This topic describes how to install a JKS or PFX certificate on a Tomcat server, including downloading and uploading a certificate file, configuring related parameters on the Tomcat server, and verifying the installation result. The parameters are related to the certificate file and password file. PFX is also known as PKCS#12. After the certificate is installed, you can access the Tomcat server over HTTPS, which ensures the security of data transmission.

Important

This topic provides examples on how to install a PFX certificate on a Tomcat 7 server and a Tomcat 8.5 server that run a Linux operating system. The installation process may vary based on the version of the operating system or web server. If you have questions, contact your account manager.

Select a certificate format

You can select a certificate format based on your business requirements, existing resources, and compatibility with systems.

JKS is the standard keystore type for Java and is widely used in Java-based applications and services. If your business runs in a Java environment and the tools and scripts that you use are compatible with JKS, you can use a JKS certificate, which is more convenient.
PFX is a cross-platform universal standard that is supported by Java and other environments, such as Windows systems, IIS servers, and SSL libraries for various programming languages. If you want to share certificates across multiple technology stacks or your business is tightly integrated with non-Java systems, you can use a PFX certificate, which is more interoperable.

Prerequisites

A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.
Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is correctly resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. To use the tool, log on to the Certificate Management Service console, and choose Common Certificate Tools > Verify DNS Settings in the left-side navigation pane. For more information, see Verify the DNS record of your domain name.
Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.
- If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.
- If you use a third-party cloud server or an on-premises server, make sure that port 443 is enabled for a firewall or security group to allow TCP access.
If you want to deploy the website on which your certificate is installed to a server located in the Chinese mainland, you must complete an Internet Content Provider (ICP) filing for the domain name bound to the certificate as required by the Ministry of Industry and Information Technology (MIIT). Otherwise, the website cannot be accessed as expected. For more information, see What is an ICP filing?

Step 1: Download a certificate

Log on to the Certificate Management Service console.
In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.
On the SSL Certificate Management page, find the certificate that you want to manage, click More in the Actions column. On the page that appears, click the Download tab.
Download a certificate.
Download a PFX certificate
Find Tomcat in the Server Type column and click Download in the Actions column.
Download a JKS certificate
Find JKS in the Server Type column and click Download in the Actions column.

Decompress the downloaded certificate package.

The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.

Value of the CSR Generation parameter

File extracted from the certificate package

Automatic

The following files can be extracted:

Certificate file in the PFX or JKS format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format.
Password file in the TXT format: By default, the password file is named in the Certificate format-password format.
Important
A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.

Manual

If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic.
If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the Tomcat server

Upload the extracted certificate file and password file to the conf directory of the Tomcat server.
Note
The installation directory of Tomcat varies based on the environment of your server. You can run the sudo find / -iname "*tomcat*" command to query the installation directory.
You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Use Remote Desktop Connection or Windows App to transfer files to a Windows instance or Upload a file to a Linux instance.
Run the following command in the root installation directory of Tomcat to open the server.xml file:
```
sudo vim ./conf/server.xml 
```

Configure the server.xml file based on the following configuration example:

Important

To prevent errors when you start Tomcat, remove the comments when you copy the code.

The procedure for installing a certificate on Tomcat 7 is similar to that on Tomcat 8.5 and later. However, the supported Java versions and configuration file formats vary, and the specific configurations are slightly different. The following section describes how to install a certificate on Tomcat 7 and Tomcat 8.5 and later. You can select a configuration method based on your Tomcat version.

Tomcat 7: The Tomcat server automatically selects SSL implementation. If you use this method but cannot complete the subsequent configuration, the environment of your server may not support automatic selection of SSL implementation.

Configuration items

Configuration example

PFX certificate

<!-- Change the port based on your business requirements. Port 443 is the default port for HTTPS services. If you use a different port, you must access your website by using https://domain_name:port.  
Set keystoreFile to the path to your certificate. 
Set keystorePass to the password that is contained in the pfx-password.txt file. 
For more information about other configuration items, visit the Tomcat official website. -->
<Connector port="443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           scheme="https"
           secure="true"
           keystoreFile="conf/domain_name.pfx"
           keystoreType="PKCS12"
           keystorePass="Certificate password"
           clientAuth="false"
           SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
           ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>

JKS certificate

<!-- Change the port based on your business requirements. Port 443 is the default port for HTTPS services. If you use a different port, you must access your website by using https://domain_name:port.  
Set keystoreFile to the path to your certificate. 
Set keystorePass to the password that is contained in the jks-password.txt file. 
For more information about other configuration items, visit the Tomcat official website. -->
<Connector port="443"
           protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectport="8443"
           maxParameterCount="1000"
           SSLEnabled="true"
           scheme="https"
           secure="true"
           keystoreFile="conf/domain_name.jks"
           keystoreType="JKS"
           keystorePass="Certificate password"
           clientAuth="false"
           SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
           ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>

Tomcat 8.5 and later: Manually specify SSL implementation (JSSE-based SSL implementation).

Configuration items

Configuration example (The <! and > comment symbols must be removed.)

PFX certificate

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true"
           maxParameterCount="1000">
    <SSLHostConfig>
        <!-- Replace conf/domain_name.pfx with the path to your certificate, and replace Certificate password with the password that is contained in the pfx-password.txt file. -->
        <Certificate certificateKeystoreFile="conf/domain_name.pfx"
                     certificateKeystorePassword="Certificate password"
                     type="RSA"/>
    </SSLHostConfig>
</Connector>

JKS certificate

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true"
           maxParameterCount="1000">
    <SSLHostConfig>
        <!-- Replace conf/domain_name.jks with the path to your certificate, and replace Certificate password with the password that is contained in the jks-password.txt file. -->
        <Certificate certificateKeystoreFile="conf/domain_name.jks"
                     certificateKeystorePassword="Certificate password"
                     type="RSA"/>
    </SSLHostConfig>
</Connector>

Optional. Configure settings in the /conf/web.xml file to automatically redirect HTTP requests to HTTPS requests.

Run the following command in the root installation directory of Tomcat to open the web.xml file:
```
sudo vim ./conf/web.xml 
```

Append the following configuration items to the web.xml file:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SSL</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

Run the following commands in the bin directory of the Tomcat server to restart the Tomcat service:
- Stop command
```
sudo ./shutdown.sh
```
- Start command
```
sudo ./startup.sh
```

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If the icon appears in the address bar of your browser, the certificate is installed.
Starting in Google Chrome 117, the icon is changed to the icon. If the icon appears after you click the icon, the certificate is installed.

Certificate Management Service:Install SSL certificates on Tomcat servers

Select a certificate format

Prerequisites

Step 1: Download a certificate

Download a PFX certificate

Download a JKS certificate

Step 2: Install the certificate on the Tomcat server

PFX certificate

JKS certificate

PFX certificate

JKS certificate

Step 3: Check whether the certificate is installed

References