How to install an SSL certificate on a Tomcat server

    Posted in SSL Certificates on Jul 25, 2019

    Once the certificate is issued, the next step is to install it on a Tomcat server.

    There are different ways of importing the files into the keystore -
    PKCS#7 (.p7b)
    PEM (.crt)
    PKCS#12 (.pfx)

    1) PKCS#7 (.p7b)

    If the certificate you received is in PKCS#7 format (the extension of the certificate file will be .p7b or .cer), it already includes the necessary intermediate and root certificates.

    To import it into the keystore:

    Tomcat_Instal_1_SSLs.jpg

    Check the details of the certificate that was imported to the keystore as follows :

    img2.jpg

    2) PEM (.crt)

    If you received the certificate in the PEM format ( files will be with the .crt extension), you will need to import the root certificate, intermediate certificates and the certificate issued for your domain name to the keystore separately starting from a root certificate and ending with the certificate for your domain name as below :

    img3.jpg

    After the successful import, edit Tomcat configuration file. As a rule, it is called server.xml and usually can be found in Home_Directory/conf folder.

    By default it should look something like this:

    <Connector port="443" protocol="HTTP/1.1
    SSLEnabled="true"
    scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLS" keystoreFile="/your_path/yourkeystore.jks"
    keystorePass="password_for_your_key_store" />

    You need to modify the directive keystoreFile with the path to the location of your keystore file, and keystorePass with the password of the keystore. If this is the first time you are configuring SSL certificate on Tomcat, first you will need to uncomment the SSL Connector configuration by removing the around the section you want to uncomment.

    Also, keystoreFile and keystorePass lines may be missing - you will need to manually enter these directives.

    If your keystore contains more than one private key alias, you need to add ‘keyAlias’ directive with the reference to a needed alias. keyAlias="tomcat"

    Save the changes and restart Tomcat web service.

    3) PKCS#12 (.pfx)

    If you have the key in PEM format, create the certificate in PKCS#12 format using this tool(PEM TO PKCS#12).

    Use the following command:

    openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey
     your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt