Configuring SSL for Tomcat

This guide provides step-by-step instructions for configuring SSL in Tomcat using a Java keystore.

Prerequisites

  • Ensure keytool is available in your system’s PATH.

    • If not, use the fully qualified path, e.g., C:\Program Files\Zulu\zulu-17\bin\keytool.exe.

Step 1: Create a Keystore

Run the following command to create a Java keystore:

keytool -genkeypair -alias <alias> -keyalg RSA -keysize 2048 -ext san="dns:<fqdn>,dns:<servername>,ip:<ip address>" -storetype PKCS12 -keystore <keystore-name>.p12 -validity 3650 -storepass <password>

You will be prompted to enter the following details:

  • First and last name

  • Organizational unit

  • Organization

  • City or Locality

  • State or Province

  • Two-letter country code

Fill these out according to your company’s recommendation.

Step 2: Generate a Certificate Signing Request (CSR)

Run the following to generate the CSR:

keytool -certreq -alias <alias> -ext san="dns:<fqdn>,dns:<servername>,ip:<ip address>" -keyalg RSA -file <csr-name>.csr -keystore <keystore-name>.p12 -storetype PKCS12 -storepass <password>

Submit the generated .csr file to your certificate authority for signing.

Step 3: Import the Certificate Chain

When you receive the signed certificate (in one of several possible formats), follow the appropriate steps below.

The referenced alias of the keystore and the certificate chain must match during this process.

Before importing, back up the keystore in case it becomes corrupted during this process.

If You Receive a .p7b, .pfx, or .pem File Containing the Full Certificate Chain

Import the file to avoid having to import the chain certs individually.

keytool -import -trustcacerts -alias <alias> -file "<certificate>.<filetype>" -keystore "<keystore-name>.p12" -storepass <password>

If You Receive a .cer File Containing the Full Certificate Chain

You may need to separate the root certificate and import it to the keystore first, then import the .cer file.

  1. Import the root certificate:

    • keytool -import -trustcacerts -alias root -file "<root-certificate>.cer" -keystore "<keystore-name>.p12" -storepass <password>

  2. Import the intermediate certificate:

    • keytool -import -trustcacerts -alias intermediate -file "<intermediate-certificate>.cer" -keystore "<keystore-name>.p12" -storepass <password>

  3. Import the server certificate:

    • keytool -import -trustcacerts -alias <alias> -file "<server-certificate>.cer" -keystore "<keystore-name>.p12" -storepass <password>