Tomcat SSL certificate installation
From Oxxus Wiki
Important thing to note is that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server.
When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests.
Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser.
In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
Contents |
SSL with Apache as frontend
For installation of SSL certificate on Apache web server please refer to the Apache SSL installation documentation page.
SSL with Tomcat keystore
Creating a self-signed certificate
Following steps are needed in order to create a self-signed certificate.
To start, create a keystore file, execute the command below and enter the desired password along with necessary information for the certificate.
keytool -genkey -alias tomcat -keyalg RSA -keystore /path/to/my/keystore
Then uncomment and adjust the line "SSL HTTP/1.1 Connector" in server.xml file, as needed. Ensure that the password matches the one you set for your keystore and that the path is correct.
Now you can restart Tomcat to verify that the configuration worked.
Installing SSL certificate from CA
To obtain certificate from a CA, certificate request file needs to be created. Before proceeding further, all steps above need to be completed first.
To create the request, use the following command:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore <your_keystore_filename>
Now you have your certificate request (certreq.csr) which you can submit to your CA of choice to receive a SSL certificate.
When you receive the certificate file from your CA, you will need to import the Chain Certificate from CA first.
Download link where you get get the Chain Certificate is usually available from your CA website.
keytool -import -alias root -keystore <your_keystore_filename> -trustcacerts -file <filename_of_the_chain_certificate>
And finally import your own certificate.
keytool -import -alias tomcat -keystore <your_keystore_filename> -trustcacerts -file <your_certificate_filename>
Restart Tomcat and verify that the configuration works.
Problems
Make sure that all the paths are correct and that you are using proper password for the keystore file.
Our default Tomcat installation package comes with Java Secure Socket Extensions (JSSE) package. There should be no need to install it, but if you get an error similar to what is listed below, please contact our support and we'll install the missing libraries for you.
java.security.NoSuchAlgorithmException
Notes
Oxxus provides its customers with wide variety of SSL certificates at best prices. These include standard SSL certificates, extended and wildcard certificates by major SSL issuers. If you are interested in obtaining an SSL certificate, let us help you, we will also happily install the certificate on your VPS.
