Renewing SSL Certificates for Apache Tomcat

Ordering and renewing an SSL Certificate on Apache Tomcat Servers consists of the following parts:

  1. Generating a keystore
  2. Generating a CSR
  3. Ordering a Certificate
  4. Importing the resulting certficitate and any intermediate certificates required
  5. Configuring the server to use the keystore

This tutorial assumes you are renewing from a Linux Tomcat installation, although the methods are largely the same for any other operating system running Tomcat.

Step 1 – Generating a Keystore

SSL certificates are placed into “keystores” on the Tomcat Server. Depending on tyour situation, you may or may not have an existing keystore. You may also have to recreate a keystore if it had been created incorrectly in the past with the wrong bit-length or cipher (recommend 2048-bit RSA as of this writing), if you do not know the keystore password, or for a variety of other reasons.

To find the current keystore(s) (typically, this will be keystore.jks), connect to your server via SSH and run this command:
find / -name keystore.jks

If that fails to yield any results, you can try looking for all the *.jks files on the system:
find / -name *.jks

If still no results are found, odds are that you do not have a keystore yet on your system. You will need to generate a keystore and private key with the following:
keytool -genkey -alias server -keystore /path/to/your/keystore/keystore.jks -keyalg RSA -sigalg SHA256withRSA -keysize 2048

Note that when keytool is asking for your first and last name, it is actually asking for the FQDN of the server you wish to install an SSL certificate on (depending on the flavor of keytool you have, it may or may not be “first and last name”, it may actually ask for “FQDN” or “server name”). It will also prompt you for a keystore password – make this anything you want, but be sure to remember it.

root@jarvis-web:/# keytool -genkey -alias server -keystore /tmp/keystore.jks -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 365
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  jgomez.net
What is the name of your organizational unit?
  [Unknown]:  Geeks
What is the name of your organization?
  [Unknown]:  Joes Consulting
What is the name of your City or Locality?
  [Unknown]:  Monterey
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=jgomez.net, OU=Geeks, O=Joes Consulting, L=Monterey, ST=California, C=US correct?
  [no]:  yes

Enter key password for <server>
        (RETURN if same as keystore password):  
root@jarvis-web:/#

Congratulations, you now have a keystore in which to place keys and generate CSRs from.

Step 2 – Generating a CSR (Certificate Signing Request)

Typically, generating a CSR is a pretty straight forward task. This will generate a CSR for jgomez.net (or whatever you entered in for “First and Last Name” above) named mycertrequest.csr and place it in /tmp/.

keytool -certreq -alias server -keystore /tmp/keystore.jks -file /tmp/mycertrequest.csr

root@jarvis-web:/# keytool -certreq -alias server -keystore /tmp/keystore.jks -file mycertequest.csr
Enter keystore password:  
root@jarvis-web:/#

Do note that the alias has to be the same alias as you created with the first command, otherwise you will throw an error:

root@jarvis-web:/tmp# keytool -certreq -alias fjasdlkfjadkslf -keystore /tmp/keystore.jks -file /tmp/mycerrequest.csr
Enter keystore password:  
keytool error: java.lang.Exception: Alias <fjasdlkfjadkslf> does not exist

Step 3 – Ordering a Certificate

  • Go to your favorite certificate reseller (eg: Trustico, NameCheap, whatever) and proceed to order your certificate
  • You will be prompted to enter the text of the CSR you generated.
  • Copy the full content of the mycertrequest.csr you made and paste it where requested
  • Fill out other order information as appropriate, and double-check the domain you are getting the certificate for (eg: jgomez.net or sub.jgomez.net)

Step 4 – Importing the Certificate

  • First, you will want to concatenate all certificates together into a single file, or download the .p7b bundle of certificates from your vendor, which will include the certificate you ordered and any required intermediate certificates. If you do not do one of these steps, odds are you will run into an error.
  • SSH to the server
  • Copy the certificates to the server
  • Import the certificate into the keystore:

keytool -import -trustcacerts -alias server -keystore /tmp/keystore.jks -file /path/to/certs/you/uploaded.p7b

  • Verify key exists and is type “PrivateKeyEntry” – if it does not, then your certificates were imported incorrectly and Tomcat will not be happy.
    keytool -list -v -keystore /path/to/keystore.jks | more

Step 5 – Configuring the Server

Find the location of server.xml (the config file for Tomcat)

find / -name server.xml

Specify the correct keystore filename and password in your connector configuration.

When you are done, your connector should look something like this, although your port numbers may vary depending on your setup:

<Connector port=“443” maxHttpHeaderSize=“8192” maxThreads=“150” minSpareThreads=“25” maxSpareThreads=“75” enableLookups=“false” disableUploadTimeout=“true” acceptCount=“100” scheme=“https” secure=“true” SSLEnabled=“true” clientAuth=“false” sslProtocol=“TLS” keyAlias=“server” keystoreFile=“/home/user_name/your_site_name.jks” keystorePass=“your_keystore_password” />

  • Restart Tomcat
  • Test your website

I hope this helps.

Leave a Comment

Your email address will not be published. Required fields are marked *