Tomcat 8.5 Ssl

 

Re: Tomcat 8.5.(x 5) & SSL Connections (sun.security.provider.certpath.SunCertPathBuilderException) Mark Thomas Sun, 09 Aug 2020 12:19:51 -0700 On August 8, 2020 6:59:23 PM UTC, David Filip wrote: Hello Everyone! I spent a large part of yesterday and this morning trying to debug an SSL problem on Tomcat 8.5.57 to no. Installing pfx SSL certificate in tomcat 8.5 on windows. Ask Question Asked 3 years, 5 months ago. Active 2 years, 7 months ago. Viewed 24k times 7. Tomcat 8.5 HTTPS SSL changes & new setupReference:https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html. I am trying it in the tomcat 8.5 server.xml and tomcat will not start. Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2 This connector uses the APR/native implementation which always uses OpenSSL for TLS.

This topic describes how to deploy an SSL certificate on a Tomcat 8.5 or Tomcat 9.0 server that runs CentOS.

Environments

Operating system: CentOS 7.6, 64-bit

Web server: Tomcat 8.5 or Tomcat 9.0

Note JDK environment variables must be set on the Tomcat server first. You can view the recommended JDK-compatible configurations on the Tomcat official website.

Prerequisites

  • The Tomcat server certificate is downloaded from the SSL Certificates Service console. The Tomcat server certificate includes a certificate file in PFX format and a password file in TXT format.
  • DNS resolution is configured for the domain name that you bound to your SSL certificate when you applied for this certificate, and the domain name points to the IP address of your Tomcat server.

    Run the ping www.yourdomain.com command after the domain name resolution is configured. If the IP address of your Tomcat server is returned, the resolution is successful.

Procedure

  1. Decompress the Tomcat server certificate package.
    Note A new password file is generated each time you download the certificate. The password is valid only for the certificate you download that time. If you need to update the certificate file, you must also update the matching password file.
  2. Copy the downloaded certificate and password files to the conf directory of your Tomcat server.
    Note To install a JKS certificate, run the following command to convert the format of the certificate from PFX to JKS:
  3. Open Tomcat/conf/server.xml, find the following parameters in the server.xml file, and modify these parameters.
  4. Save the configurations in the server.xml file.
  5. Optional. Add the following content at the bottom of the web.xml file to automatically redirect HTTP requests to HTTPS:
  6. Restart the Tomcat service.
    1. Run the ./shutdown.sh script in the bin directory of your Tomcat server to disable the Tomcat service.
    2. Run the ./startup.sh script in the bin directory of your Tomcat server to enable the Tomcat service.

What to do next

After the Tomcat service is restarted, enter https://www.YourDomainName.com in the address bar of your browser to verify whether the SSL certificate is installed. It is the domain name that you bound to your SSL certificate. If the green lock icon appears in the address bar of your browser, the SSL certificate is installed.

References

Use the DigiCert Certificate Utility to create a CSR and prepare your certificate for installation on your Tomcat server

These instructions explain how to use the DigiCert® Certificate Utility for Windows and Tomcat service to create your CSR, prepare your SSL/TLS certificate file, and to configure your Tomcat server to use the certificate.

DigiCert® Certificate Utility for Windows

For a simpler way to create your Certificate Signing Request (CSR) and install and manage your SSL/TLS certificates, we recommend that you use the DigiCert Certificate Utility. For more information about our utility, see DigiCert® Certificate Utility for Windows.

Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL Certificate.

Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart the Tomcat service.

For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL Certificates, we recommend that you use the DigiCert® Certificate Utility for Windows. For more information about our utility, see DigiCert® Certificate Utility for Windows.

  1. To create your certificate signing request (CSR), see Tomcat Server: Create Your CSR with the DigiCert Utility.

  2. To install your SSL Certificate, see Tomcat Server: Install Your SSL Certificate.

If you don't have access to a Windows computer, prefer not to use the DigiCert Utility, or for some reason cannot use the utility, see Tomcat: Create CSR & Install SSL Certificate with Keytool.

I. Tomcat Server: Create Your CSR with the DigiCert Utility

The DigiCert® Certificate Utility for Windows streamlines the CSR creation process. With our utility, you can generate the CSR with one click.

  1. On a Windows computer, download and save the DigiCert Certificate Utility for Windows zip file (DigiCertUtil.zip).

  2. Extract the DigiCertUtil.exe from the zip file and then run the DigiCert Certificate Utility for Windows© (double-click DigiCertUtil.exe).

  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then click Create CSR.

  4. On the Create CSR page, provide the following information below and then click Generate.

    Certificate Type:Select SSL.
    Common name:The fully-qualified domain name (FQDN) (e.g., www.example.com).
    Subject Alternative Names:Are you requesting a Multi-Domain SSL Certificate? Then enter the SANs you want to include on the certificate (e.g., www.example.com, www.example2.com, and www.example3.net).
    Organization:Type your company's legally registered name (e.g., YourCompany, Inc.).
    Department:You can leave this box blank; you are not required to specify a department.
    Do you want to specify a department? Then type the name of the department in your organization you want to associate the certificate with (e.g., Web Security).
    City:Type city where your company is located.
    State:Use the drop-down list to select the state where your company is located.
    Country:In the drop-down list, select the country where your company is legally located.
    Key Size:In the drop-down list, select 2048 (unless you have a specific reason for using a large bit length).
  5. In DigiCert Certificate Utility for Windows© - Create CSR window, complete one of following options:

    Copy CSRThis option copies the certificate contents to the clipboard. Use this option if you are ready to paste the CSR into the DigiCert order form.
    Note: The DigiCert Certificate Utility does not store CSRs. Therefore, we recommend pasting the CSR into a text editor (such as Notepad) when using this option. If you close the CSR page and accidentally overwrite the clipboard contents without doing this, you will need to generate a new CSR.
    Save to FileThis option saves the CSR as a .txt file.
  6. When you're ready to order your SSL/TLS certificate, paste your CSR, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, into the DigiCert order form.

    Note: Make sure that when you Select Server Software, you select Tomcat.

    Ready to order your Tomcat SSL/TLS certificate?

    Buy NowLearn More
  7. After you receive your SSL/TLS certificate from DigiCert, you can use the DigiCert Certificate Utility to help you install it on your Tomcat server.

II. Tomcat Server: Install Your SSL/TLS Certificate

Tomcat 8.5 ssl not working

After DigiCert validates your order and issues your SSL/TLS certificate, you can use the DigiCert® Certificate Utility for Windows, to prepare the certificate file for installation on your Tomcat server.

Note: If you have not created your CSR with the DigiCert Certificate Utility and ordered your SSL/TLS certificate, see Tomcat Server: Create Your CSR with the DigiCert Utility.

To install SSL/TLS certificate on your Tomcat server, complete the steps below.

Tomcat 8.5 Ssl
  1. Use the DigiCert Certificate Utility to import your SSL/TLS certificate to your Windows computer.

  2. Use the DigiCert Certificate Utility to export the SSL/TLS certificate in a .PFX format.

  3. Configure an SSL Connector on your Tomcat server.

Step 1: Import Your SSL/TLS Certificate

After DigiCert issues your SSL/TLS certificate, use the DigiCert Certificate Utility, to import the file.

  1. On the Windows computer where you created the CSR, run the DigiCert Certificate Utility for Windows© (double-click DigiCertUtil.exe).

  2. In DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then click Import.

  3. In the Certificate Import window, under File Name, click Browse and browse to the .p7b certificate file (e.g., your_domain_com.p7b) that DigiCert sent you, click Open, and then click Next.

  4. In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.

    Note: The friendly name is not part of the certificate; it is used to identify the certificate.

    We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

  5. To import the SSL/TLS certificate to your server, click Finish.

    You should receive a message that the certificate was successfully imported.

  6. You should now see your SSL/TLS certificate in the DigiCert Certificate Utility for Windows©.

    You are now ready to export your SSL/TLS ertificate as a .pfx file.

Tomcat 8.5 Ssl

Step 2: Export Your SSL/TLS Certificate in a .PFX Format

After importing your SSL/TLS certificate to your Windows computer, use the DigiCert Certificate Utility to export the certificate as a .pfx file.

Tomcat 8.5 Ssl Setup

  1. Run the DigiCert Certificate Utility for Windows© (double-click DigiCertUtil.exe).

  2. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL/TLS certificate you want to export as a .pfx file, and then click Export Certificate.

  3. In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, and then click Next.

  4. In the Password and Confirm Password boxes, create and confirm a password and then click Next.

  5. Next, click , browse for and select the location where you want to save the .pfx file, and then click Save.

  6. To export the SSL/TLS certificate with private key, click Finish.

  7. After you receive the 'Your certificate and key have been successfully exported' message, click OK.

    Your SSL/TLS certificate has been exported as a .pfx file.

Step 3: Configure an SSL/TLS Connector in Tomcat

After you have the .pfx file, you are ready to install it on your Tomcat server and configure the server to use the certificate.

Tomcat 8.5 Ssl Config

Install tomcat 8.5 windows
  1. Copy the .pfx file to your Tomcat server.

  2. In your Tomcat installation directory, locate server.xml.

  3. Locate (or create) the connector on port 443 and edit it to use your new keystore.

    Where:

    • keystoreFile is the full path to your pfx file

    • keystorePass is the password you created when exporting the pfx

    • keystoreType MUST be set to 'PKCS12'

  4. Save your changes to server.xml.

  5. Restart the Tomcat service.

  6. Congratulations! You've successfully installed your SSL/TLS certificate.

Test Your SSL/TLS Certificate Installation

Tomcat 8.5 Ssl Not Working

Is your site publicly accessible? Then use our DigiCert® SSL Installation Diagnostic Tool to test your SSL/TLS certificate installation; it detects common installation problems.

Tomcat 8.5 Ssl

Troubleshooting

If you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors contact support.