Install a self-signed or a free Let’s Encrypt SSL Certificate on Tomcat

setup self-signed or free Let's Encrypt certificate on Tomcat linux ubuntu debian redhat

Installing a self-signed certificate or a Let’s Encrypt SSL certificate on Tomcat is a necessary step to enable HTTPS communication between a client and a Tomcat server. This guide will walk you through the step-by-step process of installing a self-signed or Let’s Encrypt certificate on Tomcat.

Prerequisites

  • Java installed on your server
  • Tomcat installed on your server
  • Certbot installed on your server (only for Let’s Encrypt certificate installation)

Generate a Self-Signed Certificate

To generate a self-signed certificate, we will use the keytool command that comes with Java. The following command will generate a self-signed certificate and store it in a file named “tomcat.keystore”.

$ keytool -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

When prompted, provide the following information:

  • keystore password: A password to protect the keystore file.
  • first and last name: The domain name of your server.
  • organizational unit: Your organization’s name.
  • organization: Your organization’s name.
  • city: Your city’s name.
  • state: Your state or province’s name.
  • country code: Your two-letter country code.

Configure Tomcat to Use the Keystore

Once the keystore has been generated, we need to configure Tomcat to use it. To do this, we need to modify the server.xml file located in the conf directory of your Tomcat installation.

Locate the following section:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="8443" />

Add the following configuration below the “Connector” element:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="path/to/tomcat.keystore"
           keystorePass="password" />

Make sure to replace path/to/tomcat.keystore with the actual path to your keystore file and “password” with the keystore password you provided earlier.

Test the Self-Signed Certificate

Now that we have configured Tomcat to use the self-signed certificate, we can test it by accessing the Tomcat server over HTTPS. Open a web browser and enter the following URL:

https://localhost:8443

If everything is configured correctly, you should see a warning that the certificate is not trusted. This is because the self-signed certificate is not trusted by default. You can proceed to the website by clicking “Advanced” and then “Proceed to localhost (unsafe)”.

Generate a Let’s Encrypt Certificate

To generate a Let’s Encrypt certificate, we will use the Certbot tool. Certbot is a free, open-source software tool for automatically renewing and installing SSL/TLS certificates from Let’s Encrypt. You can download Certbot from its official website.

Once you have installed Certbot, run the following command to generate a Let’s Encrypt certificate:

$ certbot certonly --webroot -w /path/to/webroot -d example.com

Replace “/path/to/webroot” with the actual path to your Tomcat webroot directory and “example.com” with your domain name.

Configure Tomcat to Use the Let’s Encrypt Certificate

Now that we have generated the Let’s Encrypt certificate, we need to configure Tomcat to use it. To do this, we will use the following commands:

To copy the SSL certificate and private key files to the /opt/tomcat/conf directory, follow these steps:

  1. Open a terminal.
  2. Run the following command:
$ sudo cp /etc/letsencrypt/live/example.com/{cert,chain,privkey}.pem /opt/tomcat/conf/

Replace “example.com” with your actual domain name.

Next, edit the server.xml file located in the Tomcat home directory (/opt/tomcat/conf in this case). To do this, execute the following command:

$ sudo nano /opt/tomcat/conf/server.xml

Inside the server.xml file, locate the section you want to modify and make the necessary changes. Uncomment the section by removing the <!-- and --> tags and add the certificate details as shown below:

<Connector port="8443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true">
     <SSLHostConfig>
          <Certificate certificateFile="conf/cert.pem"
             certificateKeyFile="conf/privkey.pem"
             certificateChainFile="conf/chain.pem" />
     </SSLHostConfig>
</Connector>

Save the changes and exit the editor.

Test the Let’s Encrypt Certificate

Now that we have configured Tomcat to use the Let’s Encrypt certificate, we can test it by accessing the Tomcat server over HTTPS. Open a web browser and enter the following URL:

https://example.com:8443

Replace example.com with your actual domain name.

If everything is configured correctly, you should see a green padlock icon in your web browser’s address bar, indicating that the certificate is trusted. You can click on the padlock icon to view details about the certificate.

Conclusion

In this guide, we have walked you through the step-by-step process of installing a self-signed or Let’s Encrypt certificate on Tomcat. HTTPS communication is essential to secure data transmission between a client and a server, and it’s important to ensure that your Tomcat server is using a valid SSL/TLS certificate.

LEAVE A COMMENT