Professional Documents
Culture Documents
SSL - HTTPS On Tomcat1
SSL - HTTPS On Tomcat1
For JKS format keystore we need to create CSR (create .jks and import .crt/.p7b/.pem files to
key store ) on other hand for PKCS12 format keystore we need .pfx file and password only (No
need to create .jks file and import .pem/.crt/.p7b files).
In order to obtain a Certificate from the Certificate Authority of your choice you have to create a
so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to
create a Certificate that will identify your website as "secure".
In order to obtain a Certificate from the Certificate Authority of your choice you have to create a
so called Certificate Signing Request (CSR). That CSR will be used by the Certificate Authority to
create a Certificate that will identify your website as "secure". To create a CSR follow these
steps:
Note: In some cases you will have to enter the domain of your website
(i.e. www.myside.org) in the field "first- and lastname" in order to create a working
Certificate.
Example :
Example :
Now you have a file called erp_metro.csr that you can submit to the Certificate Authority (look
at the documentation of the Certificate Authority website on how to do this). In return you get a
Certificate.
Now that you have your Certificate you can import it into you local keystore. First of all you have
to import a so called Chain Certificate or Root Certificate into your keystore. After that you can
proceed with importing your Certificate.
Download a Chain Certificate from the Certificate Authority you obtained the Certificate
from.
Each Certificate Authority tends to differ slightly from the others. They may require slightly
different information and/or provide the certificate and associated certificate chain in different
formats. Additionally, the rules that the Certificate Authorities use for issuing certificates
change over time. As a result you may find that the commands given above may need to be
modified.
Example
delete alise
** While importing certificates make sure your alias name should be matched with
keystore creation alias name
Configure Tomcat
Configure server.xml file:
Now open server.xml ( C:\Program Files\Apache Software Foundation\Tomcat 9.0\conf ) file and
paste/replace following:
<Connector SSLEnabled="true"
acceptCount="100"
clientAuth="false"
disableUploadTimeout="true"
enableLookups="false"
maxThreads="150"
port="8443"
keyAlias="server"
keystoreFile="E:\ssltest\erp.jks"
keystorePass="B@ndsadead"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
sslProtocol="TLS" />
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="E:\ssl-2022-23\SSL23.pfx"
keystorePass="dad121"
keystoreType="PKCS12"
clientAuth="false"
sslProtocol="TLS"/>
Configure web.xml file:
<security-constraint>
<web-resource-collection>
<web-resource-name>webapps</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Reference:
https://tomcat.apache.org/tomcat-9.0-doc/index.html
https://www.digicert.com/easy-csr/keytool.htm
https://www.digicert.com/kb/csr-ssl-installation/tomcat-keytool.htm
https://www.ssls.com/knowledgebase/how-to-install-an-ssl-certificate-on-a-tomcat-server/
https://www.youtube.com/watch?v=RaEG_DOpNPc
https://www.youtube.com/watch?v=MFYgCHC8t0o
https://www.youtube.com/watch?v=MFYgCHC8t0o
https://www.youtube.com/watch?v=d-f-2pMOgOA
https://www.youtube.com/watch?v=OOFMpUZjito
https://www.youtube.com/watch?v=vYhY11p47rI