SSL Certificate for Web Application

Question

Im looking to use an SSL certificate for my web application. Can anyone give pointers as to how i include this in the web application? via the web.xml file? I have found lots of examples for IIS but i will be using tomcat and apache.

I guess the process includes purchasing a certificate and then assocating the web app with the certificate? Is that correct?

score 2 · Answer 1 · edited May 23 '17 at 12:04

2

You can create a self-signed certificate. Short version: the configuration goes in conf/sever.xml, and looks something like this:

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

For details, see source Q&A.

edited May 23 '17 at 12:04

Community

1
1

answered Mar 14 '11 at 19:12

Matt Ball

354,903
100
647
710

ok, do you have a link to further details? or even a tutorial/article – Santiago Mar 14 '11 at 19:14
It's pretty much all in the Q&A I linked. – Matt Ball Mar 14 '11 at 19:15

Cratylus · Accepted Answer · 2011-03-14T21:11:40.670

2

I guess the process includes purchasing a certificate and

You do not have to buy anything. You can use java's keytool, OpenSSL or Bouncy Castle to create a self-signed certificate. But for this to work you must configure your web clients to use a custom truststore or import the certificate in java's default truststore

assocating the web app with the certificate

No. It is the server that is authenticated and sends the certificate and not the web application.

will be using tomcat and apache.

You have to go to server.xml and uncomment the connector for SSL.
There you must define the keystore and the password. If you want mutual authentication the truststore as well. E.g.

<Connector protocol="org.apache.coyote.http11.Http11Protocol" clientAuth="false"
           port="8443" keystoreFile="/conf/serverKeys.p12"
   keystoreType="PKCS12" keystorePass="123456" etc

/>

You can check Tomcat's guide: Tomcat SSL how-to

edited Mar 14 '11 at 21:11

answered Mar 14 '11 at 20:51

Cratylus

52,998
69
209
339

@user384706 when you say that the web clients must be configured or import the certificate. Do you mean that I need to configure or import the certificate on the client machines? I will know exactly the machines that will access the web application. Will this also block other machines from accessing the web application? – Santiago Mar 18 '11 at 20:27
@Santiago:If you want to use SSL then during the SSL handshake, the server's certificate will be requested.If this is an unknown certificate i.e. not part of the truststore then the connection will stop (server fails to authenticate).So in order to avoid that the certificate must be imported to the truststore.For example by default java uses the `cacerts` under `lib\security`. You can override this and define a custom trustore and configure the client to use that.Does this answer your question? – Cratylus Mar 19 '11 at 12:18

SSL Certificate for Web Application

2 Answers2

Linked