First you will need a server certificate. There are a couple of ways to get one. The certificate format is x509. Thats all good, however the choice you need to make is what type of keystore (container) you wish to store the certificate AND key. You basically have two choices: JKS or PKCS12

If you choose a JKS keystore, then the easiest thing to do is to create your own key using the keytool. So, to create a JKS keystore from scratch, issue these two commands:

keytool -genkey -keyalg RSA -alias tomcat -keystore my_keystore

This will create the “my_keystore” container, and store within it a self generated key with the alias “tomcat” and you will be good to go after you edit server.xml and web.xml (see below).

FYI if you ever need to delete the certificate, you can do it with this command:

keytool -delete -alias tomcat -keystore my_keystore

Now, lets say you don’t want to use the keytool generated certificate, but you would rather use one from a certificate authority such as CAcert. After deleting the keytool generated certificate, you will want to import your key that we created from cacert.org:

keytool -import -v -trustcacerts -alias cacert -file server.crt -keystore my_keystore

When it comes time to update the cacert certificate, delete first delete the old one from the keystore:

keytool -delete -alias cacert -keystore my_keystore

…and then import the new one as before, Finally, to list the keys in the keystore, issue the following command:

keytool -list -keystore my_keystore

THERE IS JUST ONE PROBLEM. The keytool utility has no facility for simply importing a key! Amazing.

So now what do you do? Well, the easiest solution is to just use a PCKS12 keystore, but you’ll have to tell Tomcat its PCKS12 as Tomcat defaults to JKS. So here is the command:

openssl pkcs12 -export -in server.crt -inkey server.key -out my_cert.p12 -name tomcat -CAfile cacert/root.crt -caname root -chain

1
2
3
4

your certificate from CAcert: server.crt
your key from CAcert: server.key
the PCKS12 keystory to be created: my_cert.p12
CAcert's root certificateL cacert/root.crt

In server.xml find the section with the comment “Define a SSL HTTP/1.1 Connector on port 8443” and define the following (around line 90):

1
2
3
4
5

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12"
   keystoreFile="/var/lib/tomcat7/conf/my_cert.p12" keystorePass="2yQknGdBtBKo"
   clientAuth="false" sslProtocol="TLS"/>

Next if you want to enable UTF-8 responses, make sure the URIEncoding is properly set (around line 75):

1
2
3
4

<Connector port="8080" protocol="HTTP/1.1"
   connectionTimeout="20000"
   URIEncoding="UTF-8"
   redirectPort="8443" />

Next, to force re-direction of all HTTP traffic to HTTP/S, you will need to add a security-restraint element at the bottom of the web.xml file. This will be just below the welcome-file-list element and right above the web-app element. The very bottom of your web.xml file should look like this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Entire Application</web-resource-name>
         <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
</web-app>