How to add ssl certificate for a domain in Tomcat 8 server

tom cat ssl certificate

The following procedure will help you to add an ssl certificate in your tomcat 8 server.

Let us assume /opt/tomcat will be the tomcat installation folder and we are going to install it for a doamin fun.com

Step 1 : Generate a Certificate Signing Request (CSR) for your domain fun.com

# mkdir /opt/tomcat/ssl
# cd /opt/tomcat/ssl
# keytool -genkey -alias fun.com -keyalg RSA -keysize 2048 -keystore fun_com.jks -dname "CN=fun.com,OU=Technical, O=Fun Technologies Limited, L=Talvia, ST=kbgrp, C=IN" && keytool -certreq -alias fun.com -file fun_com.csr -keystore fun_com.jks

Step 2 . Use the CSR file fun_com.csf for purchasing a real ssl certificate , let us say I bought it from comodo. Now we need to add all th CA root and other trust certificate to the above keystore file fun_com.jks as follows,

#keytool -import -trustcacerts -alias ExternalCARoot -file AddTrustExternalCARoot.crt -keystore /opt/tomcat/ssl/fun_com.jks

#keytool -import -trustcacerts -alias ComodoAddTru -file COMODORSAAddTrustCA.crt -keystore /opt/tomcat/ssl/fun_com.jks

Step 3 : Add the certificate file too to the keystore

# keytool -import -trustcacerts -alias fun -file fun_com.crt -keystore /opt/tomcat/ssl/fun_com.jks

Step 4 : Now check the keystore and you can see all certificate and chain crts are added to the keystore

#keytool -list -keystore /opt/tomcat/ssl/fun_com.jks

Now open the server.xml ( in /opt/tomcat/conf/server.xml ) file and enable the following sections

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/tomcat/ssl/fun_com.jks" keystoreType="JKS" keystorePass="changeit"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

Now restart the tomcat server

/etc/init.d/tomcat restart

You may now verify your ssl by calling your domain name over https from your browser.