How to configure Apache Tomcat to use HTTPS (SSL/TLS)

[Last Updated: Jan 22, 2018]

In this tutorial we will learn how to configure SSL/TLS in Apache Tomcat 8.5.24.

(1)Creating a Keystore

To Create a keystore file to store the server's private key and self-signed certificate use following command:

keytool -genkey -noprompt -alias <your-alias> -keyalg RSA -keystore <your-file-name> -keypass <your-password>
    -storepass <your-password> -dname "CN=<your-cert-name>, OU=<your-organization-unit>, O=<your-organization>,
    L=<your-location>, ST=<state>, C=<two-letter-country-code>"

For example, I created the keystore as:

C:\my-cert-dir> keytool -genkey -noprompt -alias tomcat-localhost -keyalg RSA -keystore localhost-rsa.jks -keypass 123456 -storepass 123456 -dname "CN=tomcat-cert, OU=Dev, O=Logicbig, L=Dallas, ST=TX, C=US"

Note that keytool comes with JDK (In this example JDK 1.8 is used). With this tool, we can manage a keystore (database) of cryptographic keys and trusted certificates etc.

Above example command will create a file 'localhost-rsa.jks' under C:\my-cert-dir.

(2)Configuring SSL HTTP/1.1 Connector

Add followings in <tomcat-dir>\conf\server.xml

<Server ...>
 ....
   <Service name="Catalina">
     .....
      <Connector
         protocol="org.apache.coyote.http11.Http11NioProtocol"
         port="8443" maxThreads="200"
         scheme="https" secure="true" SSLEnabled="true"
         keystoreFile="C:\my-cert-dir\localhost-rsa.jks"
         keystorePass="123456"
         clientAuth="false" sslProtocol="TLS"/>
     .....
   </Service>
</Server>

(3)Testing

Start tomcat via <tomcat-dir>\bin\startup.bat

Access tomcat home at https://localhost:8443

Chrome shows above Privacy error for self-signed certificate. Click on 'ADVANCE' and click 'Proceed to localhost (unsafe)':
(4)Deploy a Servlet application
Let's deploy the web application we used in the last tutorial.