Configure HTTPS with Java KeyStore on Apache Tomcat with an Official SSL Certificate
Table of Contents
Introduction
In this tutorial, we will configure HTTPS on Apache Tomcat using a Java KeyStore and an official SSL certificate from Let's Encrypt. This process ensures that your server communicates securely over the internet. Follow these steps to create a secure server environment, from generating a Java KeyStore to configuring Tomcat for HTTPS.
Step 1: Create Java KeyStore with Private Key
To start, you need to generate a private key and create a Java KeyStore.
- Open your terminal.
- Run the following OpenSSL command to generate a private key:
openssl genrsa -out myprivatekey.key 2048
- Next, generate a Java KeyStore with the private key using the KeyTool:
keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore mykeystore.jks -dname "CN=yourdomain.com, OU=YourOrg, O=YourCompany, L=YourCity, S=YourState, C=YourCountry"
- Replace the
dname
values with your specific domain and organizational details.
- Replace the
Step 2: Generate CSR File for SSL Certificate
After creating the KeyStore, you need to generate a Certificate Signing Request (CSR).
-
Use the following KeyTool command to create the CSR:
keytool -certreq -alias mykey -file mycsr.csr -keystore mykeystore.jks
-
You will need to provide the necessary details that will be included in your SSL certificate.
Step 3: Obtain SSL Certificate
Next, obtain your SSL certificate from Let's Encrypt using Certbot.
- Install Certbot on your server if you haven't already.
- Run Certbot to generate your SSL certificate:
sudo certbot certonly --standalone -d yourdomain.com
- Ensure to replace
yourdomain.com
with your actual domain.
- Ensure to replace
Step 4: Convert SSL Certificates into PKCS12 Format
Once you have the SSL certificate, convert it into PKCS12 format.
- Use the following OpenSSL command:
openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
- This command combines your certificate and private key into a single PKCS12 file.
Step 5: Create Java KeyStore from PKCS12 File
Now, import the PKCS12 file into your Java KeyStore.
- Run the KeyTool command:
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -alias tomcat
- Adjust the passwords as necessary for your security requirements.
Step 6: Verify Java KeyStore Content
To ensure everything is set up correctly, verify the contents of your Java KeyStore.
- Use the following command:
keytool -list -v -keystore keystore.jks
- This will display all the entries in your KeyStore.
Step 7: Configure Apache Tomcat
Finally, configure Tomcat to use your newly created KeyStore.
-
Open the
server.xml
file located in theconf
directory of your Tomcat installation. -
Find the connector configuration for HTTPS, and modify it to point to your KeyStore:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="path/to/keystore.jks" keystorePass="changeit" />
- Update the
keystoreFile
path andkeystorePass
accordingly.
- Update the
-
Restart Apache Tomcat to apply the changes.
Conclusion
You have now configured HTTPS on your Apache Tomcat server using a Java KeyStore and an official SSL certificate. This setup enhances the security of your web applications. As a next step, ensure proper firewall settings and consider setting up automatic renewals for your SSL certificate with Certbot.