All Products
Search
Document Center

Certificate Management Service:Install SSL certificates on Tomcat 8.5 or 9.0 servers that run CentOS

Last Updated:Oct 18, 2023

You can install SSL certificates on Tomcat servers that run CentOS to enable HTTPS-based access to web services that are deployed on the servers. This topic describes how to install an SSL certificate on a Tomcat 8.5 or 9.0 server that runs CentOS.

Preparations

  • Operating system: 64-bit CentOS 7.6

  • Web server: Tomcat 8.5 or Tomcat 9.0

Note

Make sure that the Java Development Kit (JDK) is installed and environment variables are configured on the Tomcat server. You can view the recommended JDK-compatible configurations on the Tomcat official website.

Prerequisites

Step 1: Download the certificate

  1. Log on to the Certificate Management Service console.

  2. In the left-side navigation pane, click SSL Certificates.
  3. On the Log on to the Certificate Management Service console. page, find the certificate that you want to manage and click Download in the Actions column.
  4. Find Tomcat in the Server Type column and click Download in the Actions column.

    image..png
  5. Decompress the downloaded certificate package.

    The following table describes the files that you can extract from the package. The files vary based on the CSR generation method that you use when you submit the certificate application.

    Value of the CSR Generation parameter

    File extracted from the certificate package

    Automatic

    • Certificate file in the PFX format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format.

    • Password file in the TXT format: By default, the password file is named in the Certificate format-password format.

      Important

      A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.

    Manual

    • If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set CSR Generation to Automatic.

    • If the specified CSR is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

Step 2: Install the certificate on the Tomcat server

  1. Upload the extracted certificate file and password file to the conf directory of the Tomcat server.

    Note

    You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WindSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service, see Use mstsc.exe to upload a file to a Windows instance or Upload a file to a Linux instance.

  2. Run the following command in the root installation directory of Tomcat to open the server.xml file:

    vim ./conf/server.xml 
  3. Find the following configuration items in the server.xml file and configure the settings based on the following configuration examples:

    • Configuration Item 1

      image..png

      Configuration example

      <Connector port="80" protocol="HTTP/1.1" # Change Connector port to 80.
                     connectionTimeout="20000"
                     redirectPort="443"  # Change redirectPort to the default SSL port 443. This way, HTTPS requests are forwarded to port 443. 
                     maxParameterCount="1000"
                     />
    • Configuration Item 2

      image..png

      Configuration example (The <! and > comment symbols must be removed.)

      <Connector port="443"   # Change the default HTTPS port of the Tomcat server to port 443. You cannot access port 8443 by using only a domain name. To access port 8443, you must append the port number to your domain name. 
                              # Port 443 is a default HTTPS port and can be accessed by using only a domain name. You do not need to append the port number to your domain name. 
                     protocol="org.apache.coyote.http11.Http11NioProtocol" # Specify the NIO running mode for Connector port. Connector port also supports the APR running mode. 
                     maxThreads="150" SSLEnabled="true"
                     maxParameterCount="1000"
                     >
              <SSLHostConfig>
                      <Certificate certificateKeystoreFile="conf/xxx.pfx" # Change Certificate certificateKeystoreFile to the path of the certificate file.
                                   certificateKeystorePassword="xxxxxx" # Specify the password of the certificate file. 
                               type="RSA" />
              </SSLHostConfig>
      </Connector>
    • Configuration Item 3

      image..png

      Configuration example (The <! and > comment symbols must be removed.)

      <Connector protocol="AJP/1.3"
                     address="::1"
                     port="8009"
                     redirectPort="443" ## Change redirectPort to 443. This way, HTTPS requests are forwarded to port 443. 
                     maxParameterCount="1000"
                     />
  4. Optional. Configure settings in the /conf/web.xml file to automatically redirect HTTP requests to HTTPS requests.

    1. Run the following command in the root installation directory of Tomcat to open the web.xml file:

      vim ./conf/web.xml 
    2. Append the following configuration item to the web.xml file:

      <security-constraint> 
               <web-resource-collection > 
                    <web-resource-name >SSL</web-resource-name>  
                    <url-pattern>/*</url-pattern> 
             </web-resource-collection> 
             <user-data-constraint> 
                          <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
             </user-data-constraint> 
          </security-constraint>
  5. Run the following commands in the bin directory of the Tomcat server to restart the Tomcat service:

    ./shutdown.sh # Stop the Tomcat service.
    ./startup.sh # Start the Tomcat service.

Step 3: Check whether the certificate is installed

After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed.

https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

If a lock icon appears in the address bar, the certificate is installed.

image..png