Apache Tomcat over TLS/SSL

Russell Bateman
July 2022

How to Set Up HTTPS SSL on Tomcat

Just to get oriented a little, what version of Java (and keytool) am I using.

$ java -version
openjdk version "11.0.15" 2022-04-19
OpenJDK Runtime Environment (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
OpenJDK 64-Bit Server VM (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)

I have Tomcat installed as a service on /opt/tomcat. To see how I did this, contemplate my notes on Apache Tomcat installation on Linux as a service.

First step

Create a key.

$ keytool -genkeypair -alias tomcat -keyalg RSA -keystore tomcat.jks

Enter keystore password: changeit
Re-enter new password: changeit
What is your first and last name?
  [Unknown]:  windofkeltia.com
What is the name of your organizational unit?
What is the name of your organization?
  [Unknown]:  Wind of Keltia
What is the name of your City or Locality?
  [Unknown]:  Provo
What is the name of your State or Province?
  [Unknown]:  UT
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=windofkeltia.com, OU=Unknown, O=Wind of Keltia, L=Provo, ST=UT, C=US correct?
  [no]:  yes

Step two

Move the artifact (keystore) to Tomcat. That's where we'll be using it from.

$ sudo mv tomcat.jks /opt/tomcat/conf
$ sudo ls -alg /opt/tomcat/conf/tomcat.jks
-rw-rw-r-- 1 russ 2729 Jul 12 10:23 /opt/tomcat/conf/tomcat.jks

Step three

We're going to tweak Tomcat's configuration (properly so, in fact). Open /opt/tomcat/conf/server.xml in an editor.

$ sudo vim /opt/tomcat/conf/server/xml

Look for   <Connector port="8080" protocol="HTTP/1.1" ... in the file opened in step 3.

Open a new line just below it (after its XML element close), add the following line, then exit the editor (with update).

<Connector port="8443"
     clientAuth="false"            # client authentication (log-in) is a whole other ball of wax!
    sslProtocol="TLS" />

You will note that this leaves the http option defined for Tomcat that was originally there.

Step four

Restart Tomcat for the configuration changes to become effective.

$ sudo systemctl restart tomcat
$ sudo systemctl status tomcat
 tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/etc/systemd/system/tomcat.service; disabled; vendor preset: enabled)
     Active: active (running) since Tue 2022-07-12 10:41:02 MDT; 10s ago
    Process: 1194212 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
   Main PID: 1194234 (java)
      Tasks: 47 (limit: 18968)
     Memory: 221.2M
     CGroup: /system.slice/tomcat.service
             └─1194234 /usr/lib/jvm/java-1.11.0-openjdk-amd64/bin/java -Dnop -Djava.util.logging.manag>

Jul 12 10:41:02 nargothrond systemd[1]: Starting Apache Tomcat Web Application Container...
Jul 12 10:41:02 nargothrond startup.sh[1194212]: Tomcat started.
Jul 12 10:41:02 nargothrond systemd[1]: Started Apache Tomcat Web Application Container.

Step five

Open a browser on this URL:


You will see "Your connection is not private" with a button, Advanced. Click that button.

Then, you will see a message and an explanation, something like, "This server could not prove that it is localhost; its security certificate is not trusted by your computer's operating system..."

This happens because the key and certificate you created in step 1 above are not properly (commercially) "authorized." They will still work, but not without answering these two caveats.

To finish, click the link whose wording depends on the browser you have, but it's something like "Continue to this website (not recommended)."

You're there!

Finally, you land on Tomcat's splash- or landing page. If you had deployed a genuine application to Tomcat, your URL would be something like, https://localhost:8443/application, you'd still go through the caveats, but would land on your application.

As already noted,


...continues to work because of its configuration persisting in /opt/tomcat/conf/server.xml. If this is not what you want, remove that instead of adding the TLS protocol to this file.


The steps in this tutorial came originally from a Windows version thereof, its implicit goal being to reduce the instructions to the smallest possible number of steps—which I thought it did admirably.