SSL certificates in both PFX format and JKS format are supported on Tomcat server. You can choose one format of the certificates to install depending on your Tomcat version. This article will introduce the specific steps of two formats certificate installation.
Download Your SSL Certificate
Method 1: Download your certificate from your NicSRS account. There are serval kinds of certificate format in the .Zip extension; you can select directly the JKS or PFX format file to edit the Tomcat configuration file.
Method 2: You can download the ZIP file containing your certificate via administrative email. In this way, you should combine these certificates into a single file and convert the combined file to corresponding format for Tomcat server.
Combine the files manually in a text editor by copying and pasting the correspondent certificates into one single file. The order of certificates in the single file is important:
- Your primary certificate for your domain name
- Intermediate certificates
Then, enable the tool Convert Your SSL to change your needed format(JKS or PFX).
Install an SSL Certificate in Tomcat
- JKS format
Create a new cert directory under the Tomcat installation directory, and copy the jks file, key file and password file to the cert directory.
After the successful import you need to edit Tomcat configuration file. As a rule, it is called server.xml and usually can be found in Home_Directory/conf folder. You should see a few lines of code similar to the example below:
<Connector port=”443″ protocol=”HTTP/1.1″
SSLEnabled=”true”
scheme=”https” secure=”true” clientAuth=”false”
sslProtocol=”TLS” keystoreFile=”/your_path/your_domain_name.jks“
keystorePass=“password_for_your_key_store” />
Please change the parts in bold. For keystoreFile parameter, specify the directory of your keystoreFile. For keystorePass attribute, enter your keystore password.
Note: If this is your first Tomcat configuration, the keystoreFile and kyestorePass lines may be missing. You will have to manually add them. Also, you will need to uncomment the connector by removing the comment tags (<!– and –>).
Finally, save your .xml file and restart your Tomcat server.
- PFX format
As the same as JKS format, you need to create a new cert directory under the Tomcat installation directory, and copy the correct certificate and password file to the cert directory.
Then modify Tomcat configuration file. By default, it’s called server.xml and resides in the Home_Directory/conf folder. You should see a few lines of code similar to the example below:
<Connector port=”443″
protocol=”HTTP/1.1″
SSLEnabled=”true”
scheme=”https”
secure=”true”
keystoreFile=”domain name.pfx”
keystoreType=”PKCS12″
keystorePass=”your certificate password”
clientAuth=”false”
SSLProtocol=”TLSv1+TLSv1.1+TLSv1.2″
ciphers=”TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256″/>
Please change the parts in bold. For keystoreFile parameter, specify the directory of your keystoreFile. For keystorePass attribute, enter your keystore password.
If you enable HTTP force to jump HTTPS, please configure the web.xml file. Add the following command after the file</welcome-file-list>:
<login-config>
<!– Authorization setting for SSL –>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!– Authorization setting for SSL –>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Next, restart your Tomcat server with the following commands:
./shutdown.sh
./startup.sh
Congratulations! You’ve successfully installed an SSL certificate on Tomcat. To check your work, visit the website in your browser at https://yourdomain.tld and view the certificate/site information to see if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.
To check your server’s configurations more thoroughly, use our SSL Checker Tool or contact our Customer Services Department for additional assistance.