Help & Documentation>SSL Certificates>Certificate Installation>Installation of International Standard Certificates>Installing an SSL Certificate (JKS Format) on a Tomcat Server

Installing an SSL Certificate (JKS Format) on a Tomcat Server

Last updated: 2023-10-08 10:56:42

On this page:

Scenario

This document describes how to install an SSL certificate (JKS format) on a Tomcat server.
Note
The certificate name cloud.tencent.com is used as an example.
The tomcat-9.0.56 version is used as an example.
The current server OS is Windows Server 2016 Chinese. Detailed steps vary slightly with the OS.
Before installing an SSL certificate, please enable port 443 on the Tomcat server to ensure that HTTPS can be enabled after the certificate is installed. For more information, refer to How Do I Enable Port 443 for a VM?.
For detailed directions on how to upload SSL certificate files to a server, see Copying Local Files to CVMs.

Preparations

The Tomcat service has been installed and configured on the current server.
The data required to install the SSL certificate includes:
Name
Note
Server IP address
The server IP address, which is used to connect the PC to the server.
Username
The username used to log in to the server.
Password
The password used to log in to the server.
Note
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password.
If you have chosen the "Paste CSR" method when applying for an SSL certificate, or if the brand of the certificate you purchased is Wotrus, then the download of the JKS certificate file is not provided. You will need to manually convert the format to generate a keystore. The operation method is as follows:
Access the conversion tool.
Upload the certificate and private key files from the Nginx folder to the conversion tool, fill in the keystore password, click submit, and convert it into a JKS format certificate.
If you have chosen the "Paste CSR" method when applying for an SSL certificate, or if the brand of the certificate you purchased is Wotrus, then the download of the JKS certificate file is not provided. You will need to manually convert the format to generate a keystore. The operation method is as follows:
Access the conversion tool.
Upload the certificate and private key files from the Nginx folder to the conversion tool, input the keystore password, click Submit, and convert them into a JKS format certificate.

Instructions

Certificate Installation

1. Please navigate to the SSL Certificate Service Console and select the certificate you wish to install, then click Download.
2. In the "Certificate Download" window that appears, select JKS for the server type, click Download, and decompress the cloud.tencent.com certificate file package to a local directory. After decompression, you can obtain the relevant type of certificate files. This includes the cloud.tencent.com_jks folder:
Folder Name: cloud.tencent.com_jks
Folder content:
cloud.tencent.com.jks: Key Store
keystorePass.txt password file (If a private key password has been set, there will be no keystorePass.txt password file)
3. Copy the obtained cloud.tencent.com.jks keystore file to the conf directory in the Tomcat installation directory, as shown below:



4. In the conf directory, edit the server.xml file and add the following content:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
  maxThreads="150" scheme="https" secure="true"
Path of the certificate
  keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks" 
Keystore password
  keystorePass="**"
  clientAuth="false"/>
For detailed content, refer to the server.xml file:
Note
To avoid format issues, you are not advised to copy the content of server.xml directly.
 <?xml version="1.0" encoding="UTF-8"?>
  <Server port="8005" shutdown="SHUTDOWN">
 <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
 <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
 <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
 <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
 <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
 <GlobalNamingResources>
 <Resource name="UserDatabase" auth="Container"
           type="org.apache.catalina.UserDatabase"
           description="User database that can be updated and saved"
           factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
           pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>
  <Service name="Catalina">
     <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"  redirectPort="8443" />
     <Connector port="443" protocol="HTTP/1.1"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            clientAuth="false"
             keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks"
             keystorePass="**" />
 <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="cloud.tencent.com">
   <Realm className="org.apache.catalina.realm.LockOutRealm">
     <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
            resourceName="UserDatabase"/>
   </Realm>
 <Host name="cloud.tencent.com"  appBase="webapps" 
     unpackWARs="true" autoDeploy="true" >
     <Context path="" docBase ="Knews" />
 <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
        prefix="localhost_access_log" suffix=".txt"  
        pattern="%h %l %u %t &quot;%r&quot; %s %b" />
   </Host>
 </Engine>
  </Service>
</Server>
The main parameters of the configuration file are described as below:
keystoreFile: The location of the keystore file. You can specify an absolute path or a path relative to the <CATALINA_HOME> (Tomcat installation directory) environment variable. If this item is not set, Tomcat will read a file named ".keystore" from the current operating system user's home directory by default.
KeystorePass: This is the keystore password, which specifies the password for the keystore. If you have set a private key password when applying for the certificate, please enter the private key password. If you haven't set a private key password when applying for the certificate, please enter the password found in the keystorePass.txt file in the Tomcat folder.
clientAuth: If set to true, it indicates that Tomcat requires all SSL clients to present a security certificate for identity verification.
5. Verify if the Tomcat server is running.
If already started, you need to execute the following bat scripts in the bin directory of the Tomcat installation directory to shut down and restart the Tomcat service.
shutdown.bat  (Shut down the Tomcat server)
startup.bat (Start the Tomcat server)
If not already running, you need to execute the following bat script in the bin directory of the Tomcat installation directory to start the Tomcat service.
startup.bat
6. Upon successful startup, you can access it through https://cloud.tencent.com.
If the security lock icon is displayed in the browser, the certificate has been installed successfully. The details are as shown below:



In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
Unable to access the website via HTTPS
After deploying the SSL certificate, the browser indicates "Website connection is not secure"
Is your site indicating an insecure connection?
What should I do if I am prompted that HTTPS is not secure after reapplying for deployment upon expiration of the SSL certificate?
After deploying the SSL certificate on the server, a 404 error occurs when accessing resources

(Optional) Security configuration for automatic redirect from HTTP to HTTPS

If you need to automatically redirect HTTP requests to HTTPS, you can set it up using the following steps:
1. Navigate to the conf directory in the Tomcat installation directory, edit the web.xml file, and locate the </welcome-file-list> tag. As shown in the image below:



2. Please add a new line after the closing tag </welcome-file-list> and insert the following content:
<login-config>
 <!-- Authorization setting for SSL -->
 <auth-method>CLIENT-CERT</auth-method>
 <realm-name>Client Cert Users-only Area</realm-name>
 </login-config>
 <security-constraint>
 <!-- Authorization setting for SSL -->
 <web-resource-collection>
 <web-resource-name>SSL</web-resource-name>
 <url-pattern>/*</url-pattern>
 </web-resource-collection>
 <user-data-constraint>
 <transport-guarantee>CONFIDENTIAL</transport-guarantee>
 </user-data-constraint>
 </security-constraint>
3. In the Tomcat installation directory, modify the server.xml file and change the redirectPort parameter to the port of the SSL connector, which is port 443. As shown below:
<Connector port="80" protocol="HTTP/1.1"
  connectionTimeout="20000"
  redirectPort="443" />
Note
This modification operation allows non-SSL connectors to be redirected to SSL connectors.
4. Execute the following bat script in the Tomcat installation directory /bin to stop the Tomcat server.
shutdown.bat
5. Execute the following command to ascertain whether there are any issues with the configuration.
configtest.bat
If issues exist, please reconfigure or modify according to the provided suggestions.
If it does not exist, please proceed to the next step.
6. Execute the following bat script to start the Tomcat server, then you can access it through http://cloud.tencent.com.
startup.bat

中国站 - English