How to Setup SSL Certificate in Tomcat 8 - Received from SSLS.COM

Configuring SSL certificate in Tomcat first time may take lot of time. SSL certificate setup in Tomcat is not straight forward for two reasons:

  1. There are different type of SSL certificate files and follow different encodings, depending on the certificate provider
  2. There are may differences in configuration steps in different versions of Tomcat
I recently configured SSL certificate for one of my website, the certificate was pruchased from SSLS.com for obvious reasons i.e. their rates are very good. 

How to get SSL Certificate from SSLs.com

  1. Purchased SSL certificate from www.ssls.com
  2. To generate and download SSL certificate, we need to provide CSR (Certificate Signing Request) in SSLs.com account. Enter your website details at https://www.digicert.com/easy-csr/openssl.htm, it would generate the command. 
  3. Enter that command in Linux CLI, it would generate the CSR file and KEY file (its your private key so must be kep confidential). We would later use this file when configuring cert in Tomcat. 
  4. Login to ssls.com account and enter the CSR file content to generate/download SSL certificate.
  5. Before you download the certificate, you need to verify the domain. ssls.com provide a text file to be uploaded at website e.g. http://example.com/.well-known/pki-validation/abc123.txt

  6. Click on domain verify link in ssls.com, after login. After some time, the domain would be verified. 
  7. Download the certificate from ssls.com com by clicking the download link. It shall download a zip file that contains 3 files i.e. example.com.crt, example.com.ca-bundle, example.com.p7b.

How to Setup SSL in Tomcat.
  1. Convert p7b file to pem file ... using some OpenSSL command or some online converter e.g. https://www.sslshopper.com/ssl-converter.html
  2. Combine your private key and and certificate in one PKCS#12 format file. Tomcat requires single file carrying certificate + private key, the pkcs12 type file may caontian multiple cryptographic objects (certificate and key, in our case). It would prompt you to setup password, give it, we would later use that password in Tomcat configuration.
    >openssl pkcs12 -inkey example.com.key -in example.com.pem -export -out example.com.p12
  3. You may view certificate infor using openssl command:
    >openssl pkcs12 -in example.com.p12 -noout -info
  4. Configure Connector in Tomcat 8 in server.xml file placed at conf folder, as per below given details. Replace 8443 to 443 in server.xml, as the default port of SSL is 443. Tomcat by default configure it to 8443.

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" keystoreType="PKCS12" scheme="https" secure="true" keystoreFile="/example.com.p12" keystorePass="mypassword" clientAuth="false" sslProtocol="TLS" />
  5. Open web.xml of your web project and add security-constraint configuration as given below:<security-constraint>
      <web-resource-collection>
          <web-resource-name>example.com</web-resource-name>
          <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
          <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
    </security-constraint>
  6. Access your website from browser, it shall open in https.

Comments