jwallace.us

tech, tunes, and other stuff

Tomcat 7 HTTPS With No CA

You can create a self signed server certificate and a server key for Tomcat without having to go through a certificate authority. First, create the certificate and key:

openssl req -x509 -newkey rsa:2048 -keyout server.key -out server.crt -days XXX

Next set up a keystore, just leave out the CA root file:

openssl pkcs12 -export -in server.crt -inkey server.key -out my_cert.p12 -name tomcat

Next edit Tomcat’s server.xml:

/var/lib/tomcat7/conf/server.xml 
1
2
3
4
5

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
    <Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxThreads="200"
     scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12"
     keystoreFile="/var/lib/tomcat7/conf/my_cert.p12" keystorePass="djEwuDysjSIdc88w3"
     clientAuth="false" sslProtocol="TLS"/>

Finally, edit Tomcat’s web.xml, at the bottom add a security restraint to force all connections to use HTTP/s:

/var/lib/tomcat7/conf/web.xml 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

    <welcome-file-list>
        <welcome-file>index.html</welcome-file>
        <welcome-file>index.htm</welcome-file>
        <welcome-file>index.jsp</welcome-file>
    </welcome-file-list>

   <security-constraint>
      <web-resource-collection>
         <web-resource-name>Entire Application</web-resource-name>
         <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
         <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
   </security-constraint>
</web-app>