‪+91 912 323 4756‬

Bengaluru, india

Contact Us

Configuring SSL in Apache Tomcat – Setting Up HTTPS & Securing Web Applications

By /

Securing your Tomcat server with SSL (Secure Sockets Layer) is essential to protect sensitive data and establish encrypted connections. This guide walks you through configuring SSL in Tomcat with a CA-Signed SSL Certificate for production environments. 🔐🚀

✅ Why Use SSL in Tomcat?

  • 🔒 Encrypts Communication – Ensures secure data transmission between client and server.
  • 🔑 Authentication – Validates server identity to prevent impersonation.
  • 🌍 Improves Trust – HTTPS is essential for compliance (e.g., GDPR, PCI DSS).
  • SEO Benefits – Google ranks HTTPS websites higher in search results.

🔧 Step-by-Step Guide to Configuring SSL in Tomcat

1️⃣ Generate a Certificate Signing Request (CSR) 📜

To obtain a CA-signed SSL certificate, you first need to generate a CSR.

📌 Run the following command:

openssl req -new -newkey rsa:2048 -nodes -keyout mydomain.key -out mydomain.csr -subj "/C=US/ST=State/L=City/O=Company Name/CN=mydomain.com"

💡 Why?

  • mydomain.key – Private key file for encryption.
  • mydomain.csr – Certificate Signing Request to be sent to the Certificate Authority (CA).
  • Replace mydomain.com with your actual domain.

2️⃣ Submit CSR to a Trusted CA 🔑

Submit the generated mydomain.csr file to a Certificate Authority (CA) such as DigiCert, GlobalSign, Let’s Encrypt, or your preferred provider. After verification, the CA will issue signed certificates.

Typically, you will receive the following files:

  • mydomain.crt – Your primary SSL certificate.
  • intermediate.crt – CA’s intermediate certificate (if required).
  • root.crt – Root certificate (optional).

3️⃣ Convert Certificates to Java Keystore Format 🏗️

Tomcat requires certificates to be in Java Keystore (JKS) or PKCS12 format.

📌 Convert CA-signed certificates into a keystore:

openssl pkcs12 -export -in mydomain.crt -inkey mydomain.key -certfile intermediate.crt -out keystore.p12 -name tomcat

💡 Why?

  • Converts the certificate chain into a format Tomcat understands.
  • Ensures the private key and certificate are properly linked.

📌 Import the .p12 file into a Java Keystore:

keytool -importkeystore -srckeystore keystore.p12 -destkeystore keystore.jks -deststoretype JKS

💡 Why?

  • Stores the certificate securely for Tomcat to use.
  • Converts PKCS12 format into Java’s native keystore format.

4️⃣ Configure SSL Connector in server.xml ⚙️

After generating the SSL certificate, configure Tomcat to use it.

📌 Modify the server.xml file (located in conf/):

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true" clientAuth="false"
           sslProtocol="TLS" keystoreFile="conf/keystore.jks" keystorePass="changeit" />

💡 Why?

  • port="8443" – Default HTTPS port for secure connections.
  • SSLEnabled="true" – Enables SSL support.
  • keystoreFile="conf/keystore.jks" – Path to the keystore file.
  • keystorePass="changeit" – Password for the keystore.
  • sslProtocol="TLS" – Enables TLS protocol for encryption.

5️⃣ Restart Tomcat 🔄

For changes to take effect, restart the Tomcat server.

📌 Run the following command:

./bin/shutdown.sh
./bin/startup.sh

💡 Why?

  • Applies new SSL configurations.
  • Ensures secure communication via HTTPS.

6️⃣ Verify HTTPS Configuration 🌐

Once Tomcat restarts, test your SSL setup by accessing:

https://yourdomain.com:8443

If everything is set up correctly, your site should load securely over HTTPS without warnings.

🔥 Additional Security Enhancements

✔️ Redirect HTTP to HTTPS: Force all traffic to use HTTPS in web.xml:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>SecureApp</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

✔️ Enable Stronger Encryption: Modify server.xml to support modern ciphers:

cipherSuite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"

✔️ Enable HTTP Strict Transport Security (HSTS):

<filter>
    <filter-name>HSTSFilter</filter-name>
    <filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
    <init-param>
        <param-name>hstsEnabled</param-name>
        <param-value>true</param-value>
    </init-param>
</filter>

✔️ Regularly Update Tomcat & Java: Ensure security patches are applied.

🤝 Connect With Us

Are you looking for certified Tomcat professionals or need expert guidance on your project? We are here to help!

🔹 Get Certified Candidates: Hire skilled professionals with Tomcat expertise.
🔹 Project Consultation: Get best practices and hands-on support for seamless implementation.

📞 Contact Us Now
💼 Discuss Your Project

💬 How do you use Tomcat SSL in your enterprise? Share your thoughts below! 👇

#Tomcat #SSL #HTTPS #Security #WebApplications #CloudComputing #DevOps 🚀

Leave a Comment

Your email address will not be published. Required fields are marked *

Behind the word mountains, far from the countries Vokalia and Consonantia, there live the blind texts they live

Useful Links

Course
Blog
Contact Us
About Us

Contact Us

Copyright © 2025 All rights reserved. | | Design & Developed by SR CONSULTANCY AND IT SOLUTIONS.

Scroll to Top