Configure SSL/HTTPS with CA / ROOT certificate on Apache Tomcat

Configuring Tomcat to use SSL connections can be a bit tricky the first time around, but if you follow this step by step guide, you should it up and running in no time.

Purpose of SSL certificate

An SSL certificate serves two essential purposes: distributing the public key and verifying the identity of the server so users know they aren't sending their information to the wrong server. It can only properly verify the identity of the server when it is signed by a trusted third party.

Certificate Authorities like Verisign.com, Trustcenter.de, Thawte.com etc. exist to verify to clients that your server is who your certificate says it is. If you run an eCommerce site, you would definitely want your server to be registered with a Certificate Authority so that clients know they can trust that your server to be the server they think it is.

What is a certificate authority (CA)?

A Certificate Authority is a trusted third party whose role is to validate information about a web server, including the server’s domain name, its public key, and optionally the name of the company that runs it. Once this and other information is validated, the CA creates a TLS or SSL certificate with the information and digitally signs it using the CA’s private key. The public keys of many CAs (known as “root certificates”) are embedded in user agent software like browsers, enabling the browser to trust any TLS or SSL certificate that cryptographically chains up to one of those trusted roots.

After web server certificates are issued, CAs provide up-to-date status of those certificates so that if one needs to be revoked for whatever reason, browsers can be alerted to the change. Certificate status information is provided either via Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP).

CAs are an integral part of the trust model used by browsers and web servers, performing validation of web server details on behalf of end users. This model has permitted secure, authenticated Internet communication between billions of users and millions of web sites.

Setting up SSL for Tomcat can be pided into two main tasks: creating a functional keystore, and configuring the Tomcat connectors and applications. Let's tackle them one at a time.

STEP 1 : Create Keystore

Open command prompt and go to %JAVA_HOME%\bin. Use keytool to create JKS (Java KeyStore) format keystore and a self-signed certificate.

When you type the command, it will ask you some questions. First, it will ask you to create a password (My password is “changeit“) and then some information like given below :

C:\>JAVA_HOME\bin\keytool -genkey -alias TutorialsDesk -keyalg RSA -keystore d:/mykeystore/TutorialsDesk.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Prakash Hari Sharma
What is the name of your organizational unit?
  [Unknown]:  RnD
What is the name of your organization?
  [Unknown]:  TutorialsDesk.com
What is the name of your City or Locality?
  [Unknown]:  Noida
What is the name of your State or Province?
  [Unknown]:  UP
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Prakash Hari Sharma, OU=RnD, O=TutorialsDesk.com, L=Noida, ST=UP, C=IN cor
rect?
  [no]:  yes

Enter key password for <tutorialsdesk>
        (RETURN if same as keystore password):

C:\>

It will create a TutorialsDesk.keystore file on your d:/mykeystore directory.

Follow below command to check generated keystore:

C:\>JAVA_HOME\bin\keytool -list -keystore d:/mykeystore/TutorialsDesk.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tutorialsdesk, Sep 25, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): 49:CA:5D:61:14:40:14:2A:5C:54:25:56:40:C2:35:D7

C:\>

STEP 2 : Creating the Certificate Signing Request (CSR)

Now that you've created your keystore, it's time to create a file called the Certificate Signing Request, or CSR, which will be used by the Certificate Authority of your choice to generate the Certificate SSL will present to other parties during the handshake.

You can use the keytool to create this file, as well. To do so, enter the following at the command line:

C:\>JAVA_HOME\bin\keytool -certreq -alias test1 -keyalg RSA -keystore d:/mykeystore/TutorialsDesk.keystore -file d:/mykeystore/TutorialsDesk.csr

keytool will create a file called TutorialsDesk.csr, which you can submit to the CA you've chosen via the process they provide on their website. Using this file, they will generate a custom certificate for your server, which you can download according to the instructions they provide on their website.

STEP 3 : Installing Certificates to keystore

SSL verifies the authenticity of a site's certificate by using something called a "chain of trust," which basically means that during the handshake, SSL initiates an additional handshake with the Certificate Authority specified in your site's certificate, to verify that you haven't simply made up your own CA.

In order to "anchor" your certificate's chain of trust, you have to download an additional certificate, called a "Root Certificate," from your CA, and then import both this certificate and your site's new certificate into your keystore. Your CA should provide information about obtaining a Root Certificate on their website.

Once you've downloaded both your own Certificate and the Root certificate provided by your CA, import them into your keystore with the following commands

import the Root Certificate

C:\>JAVA_HOME\bin\keytool -import -alias root -keystore d:/mykeystore/TutorialsDesk.keystore -trustcacerts -file d:/mykeystore/ROOT.cer

import your new Certificate

C:\>JAVA_HOME\bin\keytool -import -alias test -keystore d:/mykeystore/TutorialsDesk.keystore -file d:/mykeystore/client.cer

STEP 4 : Configuring Tomcat for using the keystore file

Open your Tomcat installation directory and open the conf folder. Inside this folder, you will find the server.xml file.

Search for "Define a SSL HTTP/1.1 Connector on port 8443". Connector configuration will be commented there. Uncomment it.

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />
-->


Uncomment it and modify it to look like the following:

<Connector
           protocol="HTTP/1.1"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/TutorialsDesk.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

Note we have added the keystoreFile, keystorePass and changed the protocol declarations.

STEP 5 : Check SSL / HTTPS setup

Start tomcat service and try to access https://localhost:8443. You will see Tomcat’s local home page.
Note : if you try to access the default 8080 port it will be working too: http://localhost:8080

STEP 6 : Configuring your app to work with SSL

To force your web application to work with SSL, you simply need to add the following code to your web.xml file (before web-app tag ends):

<security-constraint>
    <web-resource-collection>
        <web-resource-name>mysecuredapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

The url pattern is set to /* so any page/resource from your application is secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.

If you want to turn off the SSL, you don’t need to delete the code above from web.xml, simply change CONFIDENTIAL to NONE.


Hope we are able to explain you Configure SSL/HTTPS with CA / ROOT certificate on Apache Tomcat , if you have any questions or suggestions please write to us using contact us form.(Second Menu from top left).

Please share us on social media if you like the tutorial.
Configure SSL/HTTPS with CA / ROOT certificate on Apache Tomcat