2 Easy Steps to Enable SSL / HTTPS on Tomcat Server

by Ramesh Natarajan on September 16, 2011

If you are running tomcat server that runs only on HTTP, follow the 2 easy steps mentioned below, to configure tomcat for SSL.

1. Create Keystore using Java keytool

First use the keytool to create a java keystore as shown below. Make sure to note down the password that you enter while creating the keystore.

# $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:
Re-enter new password:
What is your first and last name?
 [Unknown]:  Ramesh Natarajan
What is the name of your organizational unit?
 [Unknown]:  Development
What is the name of your organization?
What is the name of your City or Locality?
 [Unknown]:  Los Angeles
What is the name of your State or Province?
 [Unknown]:  CA
What is the two-letter country code for this unit?
 [Unknown]:  US
Is CN=Ramesh, OU=Development, O=Unknown, L=Los Angeles, ST=CA, C=US correct?
 [no]:  yes

Enter key password for 
   (RETURN if same as keystore password):

This will create the .keystore file under the /root home directory as shown below.

# ls -l /root/.keystore
-rw-r--r-- 1 root root 1391 Apr  6 11:19 .keystore

2. Modify the server.xml file

Locate the conf/server.xml file located under the tomcat directory. If the Connector port=”8443″ is commented out, you should uncomment it first. Please note that the comments in the server.xml file are enclosed in <!– and –> as shown below. You should remove the 1st and last line from the following code snippet.

# vi server.xml
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" />

Now, add the keystore information to the server.xml as shown below. Replace the your-key-password with the password you provided in the step 1 while creating the keystore.

# vi server.xml
   <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              keystoreFile="/root/.keystore" keystorePass="your-key-password"
              clientAuth="false" sslProtocol="TLS" />

Finally, restart the tomcat server and access the application using https://{your-ip-address}:8443/

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 7 comments… read them below or add one }

1 saiju s george September 16, 2011 at 3:10 am

Thanks a lot for this new method ..

But there is a easy way …., we can edit /etc/httpd/conf.d/ssl.conf

we can add this line in default vhost configuration …

ProxyRequests off

ProxyPass / http://localhost:9090/
ProxyPassReverse / http://localhost:9090/

if you cannot find ssl.conf , you can install mod_ssl with yum ..

Thanks & regds

2 saiju s george September 16, 2011 at 3:12 am

on watever port tomcat is running …

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

3 jalal hajigholamali September 16, 2011 at 5:48 am


Very useful article…

4 John February 16, 2012 at 11:09 am

How about a stupid question.
How do you enable SSL with a SIGNED certificate? This is what I have:
change server.xml:

and that’s it. Right?

5 Sudhakara Atluri March 1, 2013 at 2:44 pm

Hi Ramesh,

I tried to do this on my Windows machine. Where does it create the “.keystore” file?

keytool -genkey -alias tomcat -keyalg RSA

Sudhakara Atluri.

6 Arpan January 2, 2014 at 2:08 pm

How do we remove 8443 from the URL for production site?

7 Gihan Sooriyasena August 31, 2014 at 12:54 am

Hi Ramesh,

I have a question.

I have crt file and key. So how should I configure tomcat for SSL with those two files.
Please help me.


Leave a Comment

Previous post:

Next post: