Tomcat SSL Configuration with JSSE

From Dogtag
Jump to: navigation, search

Overview

Tomcat provides built-in support for SSL using JSSE.

Using PKCS #12 Key Store

Generating self-signed SSL certificate

To generate a self-signed SSL server certificate in a PKCS #12 file:

$ cd /etc/tomcat
$ keytool -genkey \
    -alias "sslserver" \
    -dname "CN=$HOSTNAME,O=EXAMPLE" \
    -keyalg RSA \
    -storetype pkcs12 \
    -keystore sslserver.p12 \
    -storepass Secret.123 \
    -keypass Secret.123

Configuring SSL connector

Uncomment the SSL connector in $CATALINA_BASE/conf/server.xml and add the keystore parameters as follows:

Tomcat 8.0 or older:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreType="pkcs12"
           keystoreFile="${catalina.base}/conf/sslserver.p12"
           keystorePass="Secret.123"
           keyAlias="sslserver"
/>

Tomcat 8.5 or newer:

<Connector port="8443"
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true">

        <SSLHostConfig>

             <Certificate certificateKeystoreType="pkcs12"
                         certificateKeystoreFile="${catalina.base}/conf/sslserver.p12"
                         certificateKeystorePassword="Secret.123"
                         certificateKeyAlias="sslserver"/>

         </SSLHostConfig>

</Connector>

References