Help & Documentation>SSL Certificates>Certificate Installation>Installation of International Standard Certificates>Installing an SSL Certificate (PFX Format) on a Tomcat Server

Installing an SSL Certificate (PFX Format) on a Tomcat Server

Last updated: 2023-10-08 11:00:10

On this page:

Scenario

This document describes how to install an SSL certificate (PFX format) on a Tomcat server.
Note
The certificate name cloud.tencent.com is used as an example.
The tomcat9.0.40 version is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS version.
If you need to install an SSL certificate in JKS format on a Tomcat server, please refer to: Installing and Deploying an SSL Certificate on a Tomcat Server (JKS Format).
Before installing an SSL certificate, please enable port 443 on the Tomcat server to ensure that HTTPS can be enabled after the certificate is installed. For more information, refer to: How Do I Enable Port 443 for a VM?
For detailed directions on how to upload SSL certificate files to a server, see Copying Local Files to CVMs.

Preparations

A remote file copy tool such as WinSCP has been prepared. It is recommended to download the latest version from the official website. If you need to deploy to Tencent Cloud Server, it is suggested to use the file upload function of the cloud server. For more details, please refer to Uploading Files to Cloud Server.
Install the remote login tool such as PuTTY or Xshell.
The Tomcat service has been installed and configured on the current server.
The data required to install the SSL certificate includes:
Name
Note
Server IP address
The server IP address, which is used to connect the PC to the server.
Username
The username used to log in to the server.
Password
The password used to log in to the server.
Note
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password.
The current Tomcat server is installed in the /usr directory. For instance, if the Tomcat folder name is tomcat9.0.40, then /usr/*/conf actually refers to /usr/tomcat9.0.40/conf.

Instructions

Certificate Installation

1. Please navigate to the SSL Certificate Service Console and select the certificate you wish to install, then click Download.
2. In the "Certificate Download" window that appears, select Tomcat as the server type, click Download and decompress the cloud.tencent.com certificate file package to a local directory. After decompression, you can obtain the relevant type of certificate files. This includes the cloud.tencent.com_tomcat folder:
Folder Name: cloud.tencent.com_tomcat
Folder content:
cloud.tencent.com.pfx: Certificate file
keystorePass.txt password file (If a private key password has been set, there will be no keystorePass.txt password file)
3. Utilize WinSCP (a tool for transferring files between a local and a remote computer) to access the Tomcat server.
Note
For detailed directions, see Uploading files via WinSCP to a Linux CVM from Windows.
We recommend using the file upload feature of the Cloud Virtual Machine (CVM) for deployment to Tencent Cloud CVM. For more details, please refer to Uploading Files to CVM.
4. Copy the obtained certificate file cloud.tencent.com.pfx from the local directory to the /usr/*/conf directory.
5. Remotely log in to the Tomcat server, for instance, using the "PuTTY" tool.
6. Edit the server.xml file in the /usr/*/conf directory. Choose one of the following methods based on your actual needs:
Note
When using Method 1 for configuration, Tomcat will automatically select the SSL implementation for you. If you are unable to complete the subsequent configuration using Method 1, it may be because your environment does not support this implementation. You can manually select SSL for configuration using Method 2, based on your environment attributes.
Method 1: Automatic SSL selection
Method 2: Manually select SSL
Modify the server.xml file by adding the Connector attributes as follows:
<Connector port="443"  
protocol="HTTP/1.1"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keystoreFile="/usr/*/conf/cloud.tencent.com.pfx" <!-- Path where the certificate is saved -->
    keystoreType="PKCS12"
    keystorePass="Certificate Password"  <! -- Please replace with the content in the keystorePass.txt password file.-->
    clientAuth="false"
    SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
    ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
Modify the server.xml file by adding the Connector attributes as follows:
<Connector
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    port="443" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true"
    keystoreFile="/usr/*/conf/cloud.tencent.com.pfx" keystorePass="Certificate Password" <! --Replace pfx with the path where the certificate is saved, and replace the certificate password with the content in the keystorePass.txt password file.-->
    clientAuth="false" sslProtocol="TLS"/>
The main parameters of the configuration file are described as below:
keystoreFile: The location of the certificate file. You can specify an absolute path or a path relative to the <CATALINA_HOME> (Tomcat installation directory) environment variable. If this item is not set, Tomcat will read a file named ".keystore" from the current operating system user's home directory by default.
keystorePass: This is the password for the password file, which specifies the keystore password. If a private key password was set when applying for the certificate, please enter the private key password. If no private key password was set when applying for the certificate, please enter the password found in the keystorePass.txt file within the cloud.tencent.com_tomcat folder.
clientAuth: If set to true, it indicates that Tomcat requires all SSL clients to present a security certificate for identity verification.
7. Verify if the Tomcat server is running.
If already running, you need to execute the following commands in the /usr/*/bin directory to shut down and restart the Tomcat server.
./shutdown.sh  (Shut down the Tomcat server)
./startup.sh (Start the Tomcat server)
If not already running, you need to execute the following command in the /usr/*/bin directory to start the Tomcat server.
./startup.sh
8. Upon successful startup, you can access it through https://cloud.tencent.com.
If the security lock icon is displayed in the browser, the certificate has been installed successfully. The details are as shown below:



In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
Unable to access the website via HTTPS
After deploying the SSL certificate, the browser indicates "Website connection is not secure"
Is your site indicating an insecure connection?
What should I do if I am prompted that HTTPS is not secure after reapplying for deployment upon expiration of the SSL certificate?
After deploying the SSL certificate on the server, a 404 error occurs when accessing resources

(Optional) Security configuration for automatic redirect from HTTP to HTTPS

If you need to automatically redirect HTTP requests to HTTPS, you can set it up using the following steps:
1. In the /usr/*/conf directory, locate the </welcome-file-list> tag in the web.xml file.
2. Please add a new line after the </welcome-file-list> end tag, and append the following content.
<login-config>  
 <!-- Authorization setting for SSL -->  
 <auth-method>CLIENT-CERT</auth-method>  
 <realm-name>Client Cert Users-only Area</realm-name>  
</login-config>  
<security-constraint>  
 <!-- Authorization setting for SSL -->  
 <web-resource-collection >  
     <web-resource-name >SSL</web-resource-name>  
     <url-pattern>/*</url-pattern>  
 </web-resource-collection>  
 <user-data-constraint>  
     <transport-guarantee>CONFIDENTIAL</transport-guarantee>  
 </user-data-constraint>  
</security-constraint>
3. In the /usr/*/conf directory, modify the redirectPort parameter in the server.xml file to the port of the SSL connector, which is port 443. As shown below:
<Connector port="80" protocol="HTTP/1.1"
  connectionTimeout="20000"
  redirectPort="443" />
Note
This modification operation allows non-SSL connectors to be redirected to SSL connectors.
4. In the /usr/*/bin directory, execute the following command to shut down the Tomcat server.
./shutdown.sh
5. Execute the following command to ascertain whether there are any issues with the configuration.
./configtest.sh
If issues exist, please reconfigure or modify according to the provided suggestions.
If it does not exist, please proceed to the next step.
6. Execute the following command to start the Tomcat server, then you can access it through http://cloud.tencent.com.
./startup.sh

中国站 - English