Skip to content

Tomcat SSL/TLS configuration

Tomcat SSL/TLS configuration involves preparing the necessary certificate files and defining the HTTPS connector within the server.xml configuration file.

Certificate Preparation

To configure SSL/TLS, a certificate bundle (PFX/PKCS12) is typically required. If you possess separate files such as certificate.crt, ca_bundle.crt, and private.key, you must first merge them.

A full certificate chain can be created by concatenating the certificate and the CA bundle:^[free-domain.md] 

cat certificate.crt ca_bundle.crt > full_chain.crt

Subsequently, these files can be compiled into a PKCS12 keystore (PFX) using OpenSSL:^[free-domain.md] 

[OpenSSL](<./openssl.md>) pkcs12 -export -out tls.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Server Configuration

The HTTPS connector is configured in the tomcat8/conf/server.xml file. You must define a Connector element that listens on port 443 (or the secure port of your choice).

Crucial attributes for this connector include:

  • SSLEnabled: Must be set to true.
  • scheme: Should be set to https.
  • secure: Should be set to true.
  • clientAuth: Usually set to false unless two-way SSL is required.
  • keystoreFile: The absolute path to the generated tls.pfx file.
  • keystoreType: Should be set to PKCS12 for .pfx files.
  • keystorePass: The password defined during the export of the PFX file.

Example configuration:^[free-domain.md] 

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystoreFile="C:\Users\yu_da\Desktop\apache-tomcat-8.5.83\conf\tls.pfx"
    keystoreType="PKCS12"
    keystorePass="" />

  • [[HTTPS]]
  • [[Certificate Authority]]
  • [[PKCS12]]
  • [[Let's Encrypt]]

Sources

^[free-domain.md]