Tomcat SSL Installation Instructions

Installing the Certificates to the Keystore

  1. Download your certificate files from your certificate authority and save them to the same directory as the keystore that you created during the CSR creation process. The certificate will only work with the same keystore that you initially created the CSR with. The certificates must be installed to your keystore in the correct order.
  2. Install the Root Certificate file: Every time you install a certificate to the keystore you must enter the keystore password that you chose when you generated it. Enter the following command to install the Root certificate file:

    keytool -import -trustcacerts -alias root -file RootCertFileName.crt -keystore keystore.key

  3. If you receive a message that says "Certificate already exists in system-wide CA keystore under alias <...> Do you still want to add it to your own keystore? [no]:", select Yes. If successful, you will see "Certificate was added to keystore".

  4. Install the Intermediate Certificate file: If your certificate authority provided an intermediate certificate file, you will need to install it here by typing the following command:

    keytool -import -trustcacerts -alias intermediate -file IntermediateCertFileName.crt -keystore keystore.key

    If successful, you will see "Certificate was added to keystore".

  5. Install the Primary Certificate file: Type the following command to install the Primary certificate file (for your domain name):

    keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore keystore.key

    If successful, you will see "Certificate reply was installed in keystore". You now have all the certificates installed to the keystore file. You just need to configure your server to use the keystore file.

Configuring your SSL Connector

    Tomcat requires an SSL Connector to be configured before it can accept secure connections.

    By default Tomcat looks for your Keystore with the file name .keystore in the home directory with the default password "changeit". The home directory is generally /home/user_name/ on Unix and Linux systems, and C:\Documents and Settings\user_name\ on Microsoft Windows systems. You will be able to change the password and file location.

    1. Copy your keystore file (your_domain.key) to the home directory.
    2. Open the file ${CATALINA_HOME}/conf/server.xml in a text editor.
    3. Uncomment the SSL Connector Configuration.
    4. Make sure that the Connector Port is 443.
    5. Make sure the keystorePass matches the password for the keystore and the keystoreFile contains the path and filename of the keystore.
    When you are done your connector should look something like this:

     <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true">
    <Factory className="org.apache.catalina.net.SSLServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/working/mykeystore" keystorePass="password"/>
    6. Save the changes to server.xml
    7. Restart Tomcat

Useful Tomcat SSL Links

Tomcat SSL Installation Instructions Comments