Configuring SSL for Tomcat
This guide provides step-by-step instructions for configuring SSL in Tomcat using a Java keystore.
Prerequisites
-
Ensure
keytool
is available in your system’s PATH.-
If not, use the fully qualified path, e.g.,
C:\Program Files\Zulu\zulu-17\bin\keytool.exe
.
-
Step 1: Create a Keystore
Run the following command to create a Java keystore:
keytool -genkeypair -alias <alias> -keyalg RSA -keysize 2048 -ext san="dns:<fqdn>,dns:<servername>,ip:<ip address>" -storetype PKCS12 -keystore <keystore-name>.p12 -validity 3650 -storepass <password>
You will be prompted to enter the following details:
-
First and last name
-
Organizational unit
-
Organization
-
City or Locality
-
State or Province
-
Two-letter country code
Fill these out according to your company’s recommendation.
Step 2: Generate a Certificate Signing Request (CSR)
Run the following to generate the CSR:
keytool -certreq -alias <alias> -ext san="dns:<fqdn>,dns:<servername>,ip:<ip address>" -keyalg RSA -file <csr-name>.csr -keystore <keystore-name>.p12 -storetype PKCS12 -storepass <password>
Submit the generated .csr
file to your certificate authority for signing.
Step 3: Import the Certificate Chain
When you receive the signed certificate (in one of several possible formats), follow the appropriate steps below.
The referenced alias of the keystore and the certificate chain must match during this process. |
Before importing, back up the keystore in case it becomes corrupted during this process. |
If You Receive a .p7b
, .pfx
, or .pem
File Containing the Full Certificate Chain
Import the file to avoid having to import the chain certs individually.
keytool -import -trustcacerts -alias <alias> -file "<certificate>.<filetype>" -keystore "<keystore-name>.p12" -storepass <password>
If You Receive a .cer
File Containing the Full Certificate Chain
You may need to separate the root certificate and import it to the keystore first, then import the .cer
file.
-
Import the root certificate:
-
keytool -import -trustcacerts -alias root -file "<root-certificate>.cer" -keystore "<keystore-name>.p12" -storepass <password>
-
-
Import the intermediate certificate:
-
keytool -import -trustcacerts -alias intermediate -file "<intermediate-certificate>.cer" -keystore "<keystore-name>.p12" -storepass <password>
-
-
Import the server certificate:
-
keytool -import -trustcacerts -alias <alias> -file "<server-certificate>.cer" -keystore "<keystore-name>.p12" -storepass <password>
-