• TechOps

    Need clarity?
    Chat with our experts now

    • Web Hosting SupportWeb Hosting Support
    • Helpdesk Support

      Skilled and professional 24/7 helpdesk support

    • Product Support

      Boost your product support with our expertise

    • Managed ServicesManaged Services
    • Server Management

      Don't let server issues slow you down. Let us manage them for you

    • Server Monitoring

      Safeguard your server health with our comprehensive monitoring solutions

    • Staff AugmentationStaff Augmentation
    • Hire an Admin

      Transform your business operations with our expert administrative support

    • Hire a Team

      Augment your workforce with highly skilled professional from our diverse talent pool

  • CloudOps

    Confused?
    Discuss with our sales team now.

    • Author ProfileAWS
      Well Architected Review
    • Author ProfileFinOps As a Service

      FinOps As a Service

    • Migrate

      Upgrade the journey: Migrate & Modernize seamlessly

    • Modernize

      Effortless CloudOps mastery for seamless cloud management

    • Optimize

      Efficient CloudOps: Boosting performance through optimization

    • Manage

      Simplify compliance complexities with our dedicated service

  • DevOps

    How Supportsages
    is creating an
    impact?

    View Casestudies
    • Author Profile24/7 DevOps As a Service

      Round-the-clock DevOps for uninterrupted efficiency

    • Author ProfileCI/CD Pipeline

      Automated CI/CD pipeline for seamless deployments

    • Author ProfileInfrastructure As a Code

      Crafting infrastructure with ingenious code

    • Author ProfileDevSecOps

      Integrated security in continuous DevOps practices

    • Author ProfileHire DevOps Engineers

      Level up your team with DevOps visionaries

    • Author ProfileConsulting Services

      Navigate success with expert DevOps consulting

  • SecOps

    Expert SecOps Services
    for any Scale

    • Author ProfileVAPT

      Vulnerability Assessment and Penetration Testing

    • Author ProfileSource Code Review

      Ensuring source code security and safe practices to reduce risks

    • Author ProfileSecurity Consultation

      On demand services for improving server security

    • Author ProfileSystem Hardening

      Reduced vulnerability and proactive protection

    • Author ProfileManaged SOC

      Monitors and maintains system security. Quick response on incidents

    • Author ProfileCompliance as a Service

      Regulatory compliance, reduced risk

  • Insights

    Explore our latest
    insights and resources

    Blog

    Explore our latest articles and insights

    Case Studies

    Read about our client success stories

  • Contact Us

  • About
  • Certifications
  • Life at Supportsages
  • Events
  • Contact
  • Careers
  • Blog

  • Dedicated Support Team
  • Quasi-dedicated Support Team
  • Hire a DevOps Engineer
  • Hire a Billing Support Staff
  • Per-ticket Support Plan
  • Managed Services

  • Microsoft Azure Expert
  • AWS Cloud Expert
  • Hire a developer
SS

SupportSages

Bites of wisdom @ work

Copyright © 2008 - 2026 SupportSages Pvt Ltd. All Rights Reserved.
Privacy PolicyLegal TermsData ProtectionCookie Policy

Configure SSL on Tomcat 6/7/8/9

Shafeer P
  • 4 min read
Configure SSL on Tomcat 6/7/8/9

Generating audio, please wait...

This guide helps you to easily configure SSL on Tomcat version 6, 7, 8 or 9.

Requirements

1. Certificate file issued by an authority in the PEM format. Example given below:

-----BEGIN CERTIFICATE-----
 
<base64 encoded domain cert>
 
-----END CERTIFICATE-----

 

2. Matching Private Key generated by us in the PEM format during the process of generating CSR. Example given below:

-----BEGIN PRIVATE KEY-----
 
<base64 encoded domain cert's key>
 
-----END PRIVATE KEY-----

 

3. CA certificate bundle for of the certificate issuer. It can be downloaded at issuer website. Make sure it is matching with the issued certificate type.

-----BEGIN CERTIFICATE-----
 
<base64 encoded CA cert>
 
-----END CERTIFICATE-----
 
-----BEGIN CERTIFICATE-----
 
<some CA have multiple chained certificates>
 
-----END CERTIFICATE-----

Step 1: Appending CA-Cert into Domain Certificate

We need append the CA certs in to the domain’s certificate file. The final certificate in PEM format will look like the following:

-----BEGIN CERTIFICATE-----
 
<base64 encoded domain cert>
 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 
<base64 encoded CA cert>
 
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
 
<some CA have multiple chained ca certificates>
 
-----END CERTIFICATE-----

Step 2: Converting PEM to PKCS12 format

Using the openssl command-line tool, we will convert PEM format to PKCS12 (p12) format.

# openssl pkcs12 -export -in domain.com_combined.crt -inkey domain.com.key -name "domain.com" -out domain.com.p12

Where:

-in domain.com_combined.crt is the input combined CA + Domain certificate in PEM format

-inkey domain.com.key is the input private key filename in PEM format

-CAfile domain.com.ca is the input CA certificate file.

-name “domain.com” is a friendly name for the certificate inside PKCS12 file.

-out domain.com.p12 is the output filename for PKCS12 format

 

When prompted, enter a new export password. This password will be required to read the certificate inside the PKCS12 file.

Enter Export Password: ********
Verifying - Enter Export Password: ********

Now the PKCS12 formatted certificate will be created with filename domain.com.p12 in the current directory.

Step 3: Importing PKCS12 into a JAVA Keystore file

Java keystore is nothing but a file which can be used to store multiple certificate in a format which is understandable to JAVA (Tomcat is running using JAVA)

# keytool -importkeystore -destkeystore domain.com.jks -srckeystore domain.com.p12 -srcstoretype PKCS12 -deststoretype PKCS12

Where:

-destkeystore domain.com.jks is the output JAVA keystore filename

-srckeystore domain.com.p12 is the input PKCS12 file which we have created in Step 1.

 

This step will prompt for a new password for the keystore file and the previous password we used for PKCS12 file. You can use same password for both.

Enter destination keystore password: ********
Re-enter new password: ********
Enter source keystore password: ********
Entry for alias domain.com successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled

Step 4: Configure Tomcat to use the Keystore

Enter the following command to check the Tomcat version:

# java -cp /path/to/catalina.jar org.apache.catalina.util.ServerInfo
Server version: Apache Tomcat/7.0.30
(...)

Edit the conf/server.xml located under tomcat base directory and add the following code block inside <Service tag.

Tomcat 6:

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/path/to/domain.com.jks" keystorePass="my_keystore_password"
           clientAuth="false" sslProtocol="TLS" >
</Connector>

Tomcat 7 / Tomcat 8.0.x:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/path/to/domain.com.jks" keystorePass="my_keystore_password"
           clientAuth="false" sslProtocol="TLS" >
</Connector>

Tomcat 8.5.x / Tomcat 9:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" >
        <SSLHostConfig>
            <Certificate certificateKeystoreFile="/path/to/domain.com.jks"
            certificateKeystorePassword="my_keystore_password"
            type="RSA" />
        </SSLHostConfig>
</Connector>

Where:

/path/to/domain.com.jks is the absolute path to the keystore file we have created in Step 2.

my_keystore_password is the password set for keystore file in Step 2.

Step 5: Restart tomcat service

We need to restart the tomcat daemon using service / systemctl option (if available) or using the shutdown.sh + startup.sh method
Get 24/7 expert server management

  • Linux

Looking for AWS Experts?

We provide top-of-the-line custom AWS setup services tailored to your needs.

AWS LightSail Automatic Snapshots

AWS LightSail Automatic Snapshots
  • AWS
logo

Enable TNEF on Linux Servers

Enable TNEF on Linux Servers
  • Howtos
  • Linux
  • Windows
logo

Fixing zPanel blank-screen error

Fixing zPanel blank-screen error
  • Apache
  • Linux
  • Troubleshooting
logo

LightSail VPS: Enable Filesystem Quota

LightSail VPS: Enable Filesystem Quota
  • Linux
logo
Configure SSL on Tomcat 6/7/8/9
Posts by Shafeer P

Shafeer is currently working as Senior System Engineer at SupportSages. He is capable of tackling time-consuming issues quickly with his advanced scripting abilities. His unchallenged expertise in solving complex issues in a cut-and-dried way makes him a dependable man in the team. The attitude and philosophy he shows on his workplace make his colleagues call him 'Mr. Perfectionist'. Furthermore, he is a travel and photography enthusiast, and loves to spend his leisure times on music and DIY arts.