HTTPS with Tomcat in 2 minutes
Published: Oct 25, 2013 · Tags: Tomcat SSL
Two minutes, really!
First, generate the certificate. Alias
tomcat is used as the label to later identify this certificate. The certificate will be stored in the file
keytool -keystore /opt/jks_store -genkeypair -alias tomcat -keyalg RSA -keysize 4096 -validity 99999
If you are still using Tomcat6, enter the same password for the
keystore password and
key password. Tomcat 6 does not support the case where they are different.
Now, add a new connector for HTTPS to Tomcat’s
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/opt/jks_keystore" keystorePass="$PASSWORD" keyAlias="tomcat" />
Don’t forget to replace
$PASSWORD by the one you entered in keytool. Then restart Tomcat. You’re done!
Consider configuring your firewalls if you are using port-based filtering.
Technically, the call to keytool has created a new keystore, a public key, the associated private key; both wrapped in a self-signed certificate, which is saved in the keystore.
genkeypair command was called
genkey in earlier releases of keytool.
If you want to use a different value for
key password and
keystore password, you have to add the
keyPass attribute to the connector element and specify the value givent for
key password. Works with Tomcat 7+.