Skip to main content

Tomcat SSL

The full documentation for Tomcat 8 is here: Tomcat SSL How To

Below we summarize the steps you'll need to take.

First, you need to generate a certificate or install a certificate.

  • Create a local self-signed Certificate (as described in the previous section):
keytool -genkey -alias tomcat -keyalg RSA  
-keystore (your_keystore_filename)

Note: In some cases, you will have to enter the domain of your website (i.e.www.myside.org) in the field "first- and lastname" in order to create a working Certificate.

  • The CSR is then created with:
keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr  
-keystore (your_keystore_filename)

Next, enable SSL and Port 8443 or port 443 in tomcat/conf/server.xml

  1. Find a section in server.xml that looks like this:
<!--
    <Connector port="6443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->
  1. Uncomment it out by removing the <!- and --> at the end to get
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
  1. To enable client authentication, you'll need to reference your SSL Certificate. You can modify the above to look like this:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="${catalina.base}/external-conf/.keystore" keystorePass="PUT_YOUR_KEY_PASS_HERE"
               clientAuth="false" sslProtocol="TLS"
               sslEnabledProtocols="TLSv1.2,TLSv1.1,TSLv1.2"/>
  • for keystorePass, replace PUT_YOUR_KEY_PASS_HERE with the password for your key.
  1. To disable http, comment out the following section:
<Connector port="8080" protocol="HTTP/1.1"  
    connectionTimeout="20000"  
    redirectPort="6443" />
  • Note, it may look slightly different in your install, but the important part is you will have a Connector tag that is uncommented, and you'll need to use xml commenting to disable:
<!-
<Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="6443" />
-->
Last updated on by Carolyn Satchell (Kat)