Installing an SSL Certificate on Tomcat

If you have Tomcat installed on your Mac or Linux computer, like I have shown here and here, you may sooner or later want to serve content not only through HTTP, but also securely through HTTPS. Instead of going the self-signed certificate route, where the certificate is signed with its own private key, I’m describing how to acquire an SSL certificate that is signed by a certificate authority (CA) and how to configure Tomcat to use it.

Currently, one of the easiest and least expensive ways to get a Class-1 SSL-Certificate is to request one from StartSSL. StartSSL provides free (Class 1) digital certificates with modest assurances, meant to secure personal web sites, and supports:

  • Web server certificates (SSL/TLS)
  • Client and mail certificates (S/MIME)
  • 128/256-bit encryption
  • US $ 10,000 insurance guaranteed
  • Valid 1 year (365 days)

Prerequisites

Before getting started however, a registered domain name and access to an email account associated with that domain is required.

StartSSL

Certainly not by means of the prettiest web interface, but StartSLL provides an “Express Lane” to create a digital certificate. After creating an account, which includes supplying a physical address, a private key and certificate request (CSR) can either be create through the web interface or submitted. However, it’s best to create the CSR on the machine where you actually want to use it, and here is how:

Navigate into the Tomcat directory create a new keystore and create a local Certificate Signing Request (CSR) …

Now you can copy/paste the certreq.csr during the certificate generation process on the StartSSL Web page. However, I used the fully qualified domain name of the server, instead of my name, when generation the certreq.csr, i.e. it looked something like this:
CN=alpha.techcasita.com, OU=Engineering, O=Techcasita, L=Ramona, ST=California, C=US

KeyStore

StartSSL will eventually send you an email, telling you that your StartSSL Certificate was issued, which means that you can copy/paste a bunch of characters into a file, e.g. ‘cert.cer’

While at the StartSSL site, I also copied some of their certificates that need to be added into the keystore, like so:

Tomcat Configuration

Next step is to uncomment and configure the “SSL HTTP/1.1 Connector” entry for the default HTTPS port, 443:

<Connector
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keyAlias="tomcat"
keystoreFile="/usr/share/tomcat/tomcat.jks"
keystorePass="YOUR KEYSTORE PASSWORD"/>

Optionally, you could consider adding the following attributes into the Connector tag as well:

  • minSpareThreads=”25″
  • maxSpareThreads=”75″
  • enableLookups=”false”
  • disableUploadTimeout=”true”
  • acceptCount=”100″

That’s pretty much it. However, re-starting the Tomcat server will still not have the desired effect. By using the default HTTPS port 443 instead of 8443 for instance, a so called privileged port is used. Port numbers below 1024 are not allowed to run servers on and the following error shows up in the Tomcat log file:

Long Startup Time
org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler [“http-nio-443”] java.net.SocketException: Permission denied

However, once you have figured out what the actual java binary file is, setcap (a Linux command to set file capabilities) can be used, to allow a non-root process to listen on a privileged port..

Now it’s time to restart Tomcat …

Final Result

 

Final Check

To be sure that all is good, use one of the SSL Checkers, to verify the configuration. Here for instance I have used SSLShopper, which spotted one of my misconfiguration before:

 

Leave a Reply