Configure SSL/HTTPS with self signed certificate on Apache Tomcat

Configuring Tomcat to use SSL connections can be a bit tricky the first time around, but if you follow this step by step guide, you should it up and running in no time.

Purpose of SSL certificate

An SSL certificate serves two essential purposes: distributing the public key and verifying the identity of the server so users know they aren't sending their information to the wrong server. It can only properly verify the identity of the server when it is signed by a trusted third party.

Certificate Authorities like Verisign.com, Trustcenter.de, Thawte.com etc. exist to verify to clients that your server is who your certificate says it is. If you run an eCommerce site, you would definitely want your server to be registered with a Certificate Authority so that clients know they can trust that your server to be the server they think it is.

Trusted third party certificate can be expensive. What should you do if you just want to make sure that certain communication between a client browser and your Tomcat server is encrypted? A quick solution is to create a 'self-signed' certificate. If you do this, clients can't really trust that you are who you say you are, but communication between a client and your server will be encrypted.

Self signed certificate

A self signed certificate is a certificate that is signed by itself rather than a trusted authority.

Limitations of self signed certificate

Since any attacker can create a self signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of this, you will almost never want to use a self signed certificate on a public Java server that requires anonymous visitors to connect to your site.

Self signed certificate can be used in such Scenario:

  • An Intranet When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
  • A Java development server There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
  • Personal sites with few visitors If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.

Configure Self signed certificate in Tomcat

To configure Self signed certificate in Apache Tomcat you need to simply follow below steps

STEP 1 : Create Keystore and Self-signed Certificate

Open command prompt and go to %JAVA_HOME%\bin. Use keytool to create JKS (Java KeyStore) format keystore and a self-signed certificate.

When you type the command, it will ask you some questions. First, it will ask you to create a password (My password is “changeit“) and then some information like given below :

C:\>JAVA_HOME\bin\keytool -genkey -alias TutorialsDesk -keyalg RSA -keystore d:/mykeystore/TutorialsDesk.keystore
Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  Prakash Hari Sharma
What is the name of your organizational unit?
  [Unknown]:  RnD
What is the name of your organization?
  [Unknown]:  TutorialsDesk.com
What is the name of your City or Locality?
  [Unknown]:  Noida
What is the name of your State or Province?
  [Unknown]:  UP
What is the two-letter country code for this unit?
  [Unknown]:  IN
Is CN=Prakash Hari Sharma, OU=RnD, O=TutorialsDesk.com, L=Noida, ST=UP, C=IN cor
rect?
  [no]:  yes

Enter key password for <tutorialsdesk>
        (RETURN if same as keystore password):

C:\>

It will create a TutorialsDesk.keystore file on your d:/mykeystore directory.

Follow below command to check generated keystore:

C:\>JAVA_HOME\bin\keytool -list -keystore d:/mykeystore/TutorialsDesk.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tutorialsdesk, Sep 25, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5): 49:CA:5D:61:14:40:14:2A:5C:54:25:56:40:C2:35:D7

C:\>

STEP 2 : Configuring Tomcat for using the keystore file

Open your Tomcat installation directory and open the conf folder. Inside this folder, you will find the server.xml file.

Search for Connector port="8443". Connector configuration will be commented there. Uncomment it.

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" />
-->


Uncomment it and modify it to look like the following:

<Connector
           protocol="HTTP/1.1"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/TutorialsDesk.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

Note we have added the keystoreFile, keystorePass and changed the protocol declarations.

STEP 3 : Check SSL / HTTPS setup

Start tomcat service and try to access https://localhost:8443. You will see Tomcat’s local home page.
Note : if you try to access the default 8080 port it will be working too: http://localhost:8080

STEP 4 : Configuring your app to work with SSL

To force your web application to work with SSL, you simply need to add the following code to your web.xml file (before web-app tag ends):

<security-constraint>
    <web-resource-collection>
        <web-resource-name>mysecuredapp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

The url pattern is set to /* so any page/resource from your application is secure (it can be only accessed with https). The transport-guarantee tag is set to CONFIDENTIAL to make sure your app will work on SSL.

If you want to turn off the SSL, you don’t need to delete the code above from web.xml, simply change CONFIDENTIAL to NONE.

NOTE : For production application, obtain certificate from certificate authority (like GeoTrust, Verisign, Thawte etc.) and import the same in local keystore.
In The next posts we will expalin How to import third party certificate in local keystore.

Hope we are able to explain you Configure SSL/HTTPS with self signed certificate on Apache Tomcat , if you have any questions or suggestions please write to us using contact us form.(Second Menu from top left).

Please share us on social media if you like the tutorial.
Configure SSL/HTTPS with self signed certificate on Apache Tomcat