≡ Menu

2 Easy Steps to Enable SSL / HTTPS on Tomcat Server

If you are running tomcat server that runs only on HTTP, follow the 2 easy steps mentioned below, to configure tomcat for SSL.

1. Create Keystore using Java keytool

First use the keytool to create a java keystore as shown below. Make sure to note down the password that you enter while creating the keystore.

# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
 [Unknown]:  Ramesh Natarajan
What is the name of your organizational unit?
 [Unknown]:  Development
What is the name of your organization?
What is the name of your City or Locality?
 [Unknown]:  Los Angeles
What is the name of your State or Province?
 [Unknown]:  CA
What is the two-letter country code for this unit?
 [Unknown]:  US
Is CN=Ramesh, OU=Development, O=Unknown, L=Los Angeles, ST=CA, C=US correct?
 [no]:  yes

Enter key password for 
   (RETURN if same as keystore password):

This will create the .keystore file under the /root home directory as shown below.

# ls -l /root/.keystore
-rw-r--r-- 1 root root 1391 Apr  6 11:19 .keystore

2. Modify the server.xml file

Locate the conf/server.xml file located under the tomcat directory. If the Connector port=”8443″ is commented out, you should uncomment it first. Please note that the comments in the server.xml file are enclosed in <!– and –> as shown below. You should remove the 1st and last line from the following code snippet.

# vi server.xml
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" />

Now, add the keystore information to the server.xml as shown below. Replace the your-key-password with the password you provided in the step 1 while creating the keystore.

# vi server.xml
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              keystoreFile="/root/.keystore" keystorePass="your-key-password"
              clientAuth="false" sslProtocol="TLS" />

Finally, restart the tomcat server and access the application using https://{your-ip-address}:8443/

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 8 comments… add one }

  • saiju s george September 16, 2011, 3:10 am

    Thanks a lot for this new method ..

    But there is a easy way …., we can edit /etc/httpd/conf.d/ssl.conf

    we can add this line in default vhost configuration …

    ProxyRequests off

    ProxyPass / http://localhost:9090/
    ProxyPassReverse / http://localhost:9090/

    if you cannot find ssl.conf , you can install mod_ssl with yum ..

    Thanks & regds

  • saiju s george September 16, 2011, 3:12 am

    on watever port tomcat is running …

    ProxyPass / http://localhost:8080/
    ProxyPassReverse / http://localhost:8080/

  • jalal hajigholamali September 16, 2011, 5:48 am


    Very useful article…

  • John February 16, 2012, 11:09 am

    How about a stupid question.
    How do you enable SSL with a SIGNED certificate? This is what I have:
    change server.xml:

    and that’s it. Right?

  • Sudhakara Atluri March 1, 2013, 2:44 pm

    Hi Ramesh,

    I tried to do this on my Windows machine. Where does it create the “.keystore” file?

    keytool -genkey -alias tomcat -keyalg RSA

    Sudhakara Atluri.

  • Arpan January 2, 2014, 2:08 pm

    How do we remove 8443 from the URL for production site?

  • Gihan Sooriyasena August 31, 2014, 12:54 am

    Hi Ramesh,

    I have a question.

    I have crt file and key. So how should I configure tomcat for SSL with those two files.
    Please help me.


  • faisal May 28, 2015, 12:15 am

    I tried it on ubuntu 12.04 after genrating key did the following changes in server.xml :
    described in the APR documentation –>

    but it did not work.

Leave a Comment