Install SSL website on standalone Tomcat Plan#

Generating a Certificate Signing Request (CSR)#

Use the keytool command to create the key file: keytool -genkey -keyalg RSA -keystore domain.key -validity 360

Keytool is found in the Java runtime bin folder: e.g. D:\j2sdk1.4.2_12\bin

If you want to use an alias for the site certificate include -alias yyy (where yyy is the alias name) (NOTE validity may vary)

The following questions will be asked if not known: Enter keystore password: (NOTE remember this for later use) What is your first and last name? - This is the Common Name (Domain Name) What is the name of your organizational unit? What is the name of your organization? What is the name of your City or Locality? What is the name of your State or Province? What is the two-letter country code for this unit?

You will then be asked if the information is correct: Is, OU=Your Oganizational Unit, O=Your Organization, L=Your City, ST=Your State, C=Your Country correct?

When you answer 'y' or 'yes' the password is then requested: Enter key password for <mykey> NOTE: Make a note of this password <mykey> is the default alias for the certificate

Use the keytool command to create the CSR file: keytool -certreq -keyalg RSA -file domain.csr -keystore domain.key

You will be prompted to enter the password. Enter keystore password:

If the password is correct then the CSR is created. If the password is incorrect then a password error is displayed. You will need the text from this CSR when requesting a certificate.

Installing your Certificate on a Tomcat & Apache Server#

Step One

You will receive 3 files in a zip file from Comodo.

These must be imported in the correct order: Root Intermediate CA domain/site certificate

In the following example please replace the example keystore name 'domain.key' with your keystore name.

Use the keytool command to import the certificates as follows: keytool -import -trustcacerts -alias root -file (insert root certificate file name) -keystore domain.key

Use the same process for the Comodo certificate using the keytool command: keytool -import -trustcacerts -alias INTER -file (insert intermediate CA file name) -keystore domain.key

Use the same process for the site certificate using the keytool command, if you are using an alias then please include the alias command in the string. Example:

keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file domain.crt -keystore domain.key Step Two

Tomcat will first need a SSL Connector configured before it can accept secure connections.

Note: By default Tomcat will look for your Keystore with the file name .keystore in the home directory with the default password 'changeit'. The home directory is generally /home/user_name/ on Unix and Linux systems, and C:\Documents and Settings\user_name\ on Microsoft Windows systems. -- It is possible to change the filename, password, and even location that Tomcat looks for the keystore. If you need to do this, pay special attention to #8 of Option 1 or #5 of Option 2 below.

Option 2 -- Configure the SSL Connector in server.xml:

1. Copy your keystore file (your_domain.key) to the home directory (see the Note above) 2. Open the file Home_Directory/conf/server.xml in a text editor 3. Uncomment the 'SSL Connector' Configuration 4. Make sure that the 'Connector Port' is 443 5. If your keystore filename is something other than the default file name (.keystore) and/or your keystore password is something other than default ('changeit') then you will need to specify the correct keystore filename and/or password in your connector configuration -- ex. keypass="newpassword". When you are done your connector should look something like this:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/home/user_name/your_domain.key" keypass="your_keystore_password"/>

6. Save the changes to server.xml 7. Restart Tomcat

Back to Tomcat

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-2) was last changed on 24-May-2017 15:30 by Hyve Support
G’day (anonymous guest) My Prefs
  • View Page Source
  • This clear IPSec security association,
    clear ipsec sa peer X.X.X.X

All Pages

Page views: 2681

Private Tomcat




SQL Server




Web Mail

Windows Plesk

Linux Plesk




Persits ASPUpload

Wiki Help

Referring Pages:

JSPWiki v2.8.1