7

i Want to enable or configure https on my tomcat 8 server, This requires me to configure certificate paths. i have received .pem file, how do i use this .pem file to configure https on tomcat ?

Abdul Salam
  • 238
  • 1
  • 3
  • 11

3 Answers3

4

While most answers concentrate on versions 7.0 and 8.0 of Tomcat that were supported at the time of the question, since version 8.5.2 (May 2016) it is possible to use PEM files directly without conversion to a PKCS12 file.

You can either:

  • put the PEM encoded private key and all certificates in the order from leaf to root into a single file (let's say conf/cert.pem) and use:
<Connector port="443" SSLEnabled="true" secure="true" scheme="https">
  <SSLHostConfig>
    <Certificate certificateFile="conf/cert.pem" />
  </SSLHostConfig>
</Connector>

Storing both private key and certificate in the same file is highly discouraged.

  • put the private key in conf/privkey.pem and the certificates (in the usual order) in conf/cert.pem and use:
<Connector port="443" SSLEnabled="true" secure="true" scheme="https">
  <SSLHostConfig>
    <Certificate certificateFile="conf/cert.pem"
                 certificateKeyFile="conf/privkey.pem" />
  </SSLHostConfig>
</Connector>
  • use three separate files: e.g. conf/privkey.pem for the private key, conf/cert.pem for the server certificate and conf/chain.pem for the intermediary certificates and use:
<Connector port="443" SSLEnabled="true" secure="true" scheme="https">
  <SSLHostConfig>
    <Certificate certificateFile="conf/cert.pem"
                 certificateKeyFile="conf/privkey.pem"
                 certificateChainFile="conf/chain.pem" />
  </SSLHostConfig>
</Connector>

This configuration is supported for all three connector types: NIO, NIO2 and APR.

Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • Are you sure all can be in single PEM file? Because Tomcat documentation mentions nothing about that for `certificateFile` ? https://tomcat.apache.org/tomcat-9.0-doc/config/http.html – Evren Yurtesen Mar 29 '21 at 22:06
  • @EvrenYurtesen: Yes, you can check [this source code line](https://github.com/apache/tomcat/blob/8623d4becf96dce9c467600cc5791b3847e661f7/java/org/apache/tomcat/util/net/SSLUtilBase.java#L314). `certificateFile` is the default value of `certificateKeyFile`. – Piotr P. Karwasz Mar 30 '21 at 05:04
  • Yes, manual says `certificateKeyFile` default value is the value of `certificateFile`. (also there is a warning saying "not recommended") But it does not talk anything about intermediate/chain. I think the code you pointed out also does not load `certificateChainFile` from `certificateFile` hmm? – Evren Yurtesen Mar 30 '21 at 21:10
  • The certificates found in `certificateChainFile` are appended to those in `certificateFile`. This way Tomcat supports the same configurations as [Apache Httpd](https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcertificatechainfile) and [nginx](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate). I added the remark about putting private and public key in the same file, thank you. – Piotr P. Karwasz Mar 31 '21 at 05:01
  • What I meant was that putting chain/intermediate certificates to `certificateFile` without using`certificateChainFile` does not seem to be supported. So the first option of putting everything into one file should not work? – Evren Yurtesen Mar 31 '21 at 14:19
  • I agree: options 1 and 2 are not explicitly documented, so they might stop working in a future release. However I doubt this will ever be the case: breaking configurations 1 and 2 might still be seen as a regression. – Piotr P. Karwasz Mar 31 '21 at 15:17
  • What I meant was, in the source code you linked. The chain file is only loaded if it is defined. `if (certificate.getCertificateChainFile() != null)` Maybe it works somehow... perhaps I should test it some day :) – Evren Yurtesen Mar 31 '21 at 16:43
  • Yes, the best option is to test it. The crucial part is that the code imports **all** certificates from `certificateFile` and **all** certificates in `certificateChainFile`. Where do you put a certificate does not matter, only the order matters. – Piotr P. Karwasz Mar 31 '21 at 18:26
-2

To enable https on your project, follow the steps below:

1- Go to your JAVA_HOME and run the following commmand: (Your directory of java may be different) 

"C:\Program Files\Java\jre1.8.0_161\bin\keytool" -genkey -alias tomcat -keyalg RSA
  -keystore \path\to\your\directory\keystore.exe

It will take you through a process, and will ask a password for the keystore.exe. Remember this password.

2- At \path\to\your\directory, you should have your keystore.exe.

3- Now in your apache tomcat's directory, openserver.xml` and write the following code: 

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
            port="9999" maxThreads="200" scheme="https" secure="true" SSLEnabled="true"
            keystoreFile="PATH_TO_YOUR_DIRECTORY/cert1.keystore" keystorePass="YOUR_PASSSWORD_HERE"
            clientAuth="false" sslProtocol="TLS" />

4- Restart the server and open your project with https and port 9999. You will find your project on https now.

hiren
  • 1,067
  • 1
  • 9
  • 16
-2

If certificate files including Root, Intermediate and Primary certificate received in PEM format by Certificate Authority for your domain, then import certificate files into the Java Keystore using following command in keytool command line utility: 

"%JAVA_HOME%\bin\keytool” -import -trustcacerts -alias root -file RootCertFileName.crt -keystore keystore.key

"%JAVA_HOME%\bin\keytool” -import -trustcacerts -alias intermediate -file IntermediateCertFileName.crt -keystore keystore.key

"%JAVA_HOME%\bin\keytool” keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore keystore.key

Note: If you did not specify the alias during the keystore creation, the default value will be 'mykey'.

Upon executing commands successful, you will have .keystore file that needs to be copy to home directory. Now open Tomcat configuration file (server.xml) in text editor and locate the element port is 8443. Specify keystoreFile and keystorePass as follows:

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
           protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt"
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>

And, save your configuration file and Restart the server to enable SSL on Tomcat using .pem file.

You can follow instructions stated in the post: https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html to enable SSL on Tomcat 8 server.

AaronSmith
  • 37
  • 2
  • 1
    Config shown here references PEM files outside the keystore. Why import it the subject certificate into the keystore? – symcbean Mar 05 '21 at 16:25