Configure HTTPS with Java KeyStore on Apache Tomcat with an Official SSL Certificate

Introduction

In this tutorial, we will configure HTTPS on Apache Tomcat using a Java KeyStore and an official SSL certificate from Let's Encrypt. This process ensures that your server communicates securely over the internet. Follow these steps to create a secure server environment, from generating a Java KeyStore to configuring Tomcat for HTTPS.

Step 1: Create Java KeyStore with Private Key

To start, you need to generate a private key and create a Java KeyStore.

1. Open your terminal.
2. Run the following OpenSSL command to generate a private key:

   openssl genrsa -out myprivatekey.key 2048
   

3. Next, generate a Java KeyStore with the private key using the KeyTool:

   keytool -genkeypair -alias mykey -keyalg RSA -keysize 2048 -keystore mykeystore.jks -dname "CN=yourdomain.com, OU=YourOrg, O=YourCompany, L=YourCity, S=YourState, C=YourCountry"
   

   • Replace the dname values with your specific domain and organizational details.

Step 2: Generate CSR File for SSL Certificate

After creating the KeyStore, you need to generate a Certificate Signing Request (CSR).

1. Use the following KeyTool command to create the CSR:

   keytool -certreq -alias mykey -file mycsr.csr -keystore mykeystore.jks
   

2. You will need to provide the necessary details that will be included in your SSL certificate.

Step 3: Obtain SSL Certificate

Next, obtain your SSL certificate from Let's Encrypt using Certbot.

1. Install Certbot on your server if you haven't already.
2. Run Certbot to generate your SSL certificate:

   sudo certbot certonly --standalone -d yourdomain.com
   

   • Ensure to replace yourdomain.com with your actual domain.

Step 4: Convert SSL Certificates into PKCS12 Format

Once you have the SSL certificate, convert it into PKCS12 format.

1. Use the following OpenSSL command:

   openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root
   

   • This command combines your certificate and private key into a single PKCS12 file.

Step 5: Create Java KeyStore from PKCS12 File

Now, import the PKCS12 file into your Java KeyStore.

1. Run the KeyTool command:

   keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -alias tomcat
   

   • Adjust the passwords as necessary for your security requirements.

Step 6: Verify Java KeyStore Content

To ensure everything is set up correctly, verify the contents of your Java KeyStore.

1. Use the following command:

   keytool -list -v -keystore keystore.jks
   

   • This will display all the entries in your KeyStore.

Step 7: Configure Apache Tomcat

Finally, configure Tomcat to use your newly created KeyStore.

1. Open the server.xml file located in the conf directory of your Tomcat installation.

2. Find the connector configuration for HTTPS, and modify it to point to your KeyStore:

   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS"
              keystoreFile="path/to/keystore.jks"
              keystorePass="changeit" />
   

   • Update the keystoreFile path and keystorePass accordingly.

3. Restart Apache Tomcat to apply the changes.

Conclusion

You have now configured HTTPS on your Apache Tomcat server using a Java KeyStore and an official SSL certificate. This setup enhances the security of your web applications. As a next step, ensure proper firewall settings and consider setting up automatic renewals for your SSL certificate with Certbot.