Overview#

Tomcat provides built-in support for SSL using JSSE.

Using PKCS #12 Key Store#

Generating self-signed SSL certificate#

To generate a self-signed SSL server certificate in a PKCS #12 file:

$ cd /etc/tomcat
$ keytool -genkey \
``    -alias “sslserver” ``
``    -dname “CN=$HOSTNAME,O=EXAMPLE” ``
``    -keyalg RSA ``
``    -storetype pkcs12 ``
``    -keystore sslserver.p12 ``
``    -storepass Secret.123 ``
``    -keypass Secret.123``

Configuring SSL connector#

Uncomment the SSL connector in $CATALINA_BASE/conf/server.xml and add the keystore parameters as follows:

Tomcat 8.0 or older:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreType="pkcs12"
           keystoreFile="${catalina.base}/conf/sslserver.p12"
           keystorePass="Secret.123"
           keyAlias="sslserver"
/>

Tomcat 8.5 or newer:

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true">

        <SSLHostConfig>

             <Certificate certificateKeystoreType="pkcs12"
                         certificateKeystoreFile="${catalina.base}/conf/sslserver.p12"
                         certificateKeystorePassword="Secret.123"
                         certificateKeyAlias="sslserver"/>

         </SSLHostConfig>

</Connector>

Overview

Contents

Overview#

Using PKCS #12 Key Store#

Generating self-signed SSL certificate#

Configuring SSL connector#