HOWTO: Adding SSL Support to Tomcat

After killing Tomcat a few times (it's so temperamental), this is how I finally managed to add SSL support to Tomcat:

Creating the Keystore:

I used a modification of the genks.bat file supplied by the HOW To page (see Related Links). For some reason DOS didn't recognize my %JAVA_HOME% variable, so I was forced to hard code it. Replace c:\j2sdk1.4.0 with the path to your JDK.

Note: SSL support needs JSSE which is only included with the JDK as of 1.4.0, so if you're running an earlier version of Java you'll need to first install JSSE. Follow the instructions on either Related Links page (I didn't test either as was running 1.4.0 at the time of this writing).

Run the following command (genks.bat allows you to generate many more files, but server.keystore is the only one you really need):

c:\j2sdk1.4.0\bin\keytool -genkey -alias tomcat-sv -dname » "CN=localhost, OU=ProjectGroup, O=Organization, L=Location, » S=SS, C=CC" -keyalg RSA -keypass yourpassword » -storepass yourpassword -keystore server.keystore

Note that the character » is used to indicate continuation of the same line. It needs to be all on the same command line. Also, SS is the two letter code for your State/Province and CC is the two letter code for your country.

Run it from wherever you want (I ran it from my {Tomcat Install Dir}). In the same directory as you ran the command, you will have a new file:

  • server.keystore

The necessary key is now created.

Configuring Tomcat:

There are two ways to configure Tomcat. Either way, I suggest you save the original server.xml file somewhere in case things go wrong.

The first is to edit the {Tomcat Install Dir}\conf\server.xml file. I didn't have much luck with that. Every time I touched that file Tomcat died.

The second (and the one I ended up using) is to use Tomcat's Admin page. In your browser, navigate to http://localhost:8080/admin and log in (the default username is admin and there is no password). In the menu, click on Service (Tomcat-Standalone). On the Available Actions pull-down box, select Create New Connector. Add/Change the following information:

  • Type: HTTPS
  • IP Address:
  • Port Number: 8443
  • Keystore Filename: Wherever you saved server.keystore (for me it was C:\Program Files\Apache Group\Tomcat 4.1\server.keystore)
  • Keystore Password: yourpassword

Click on Save and then On Commit Changes in the header. Log out. Restart Tomcat (you may have to do it multiple times, as I did - I even needed a cold boot).

Testing the SSL Support:

Tomcat should now have SSL support. In your browser (IE for these instructions), navigate to https://localhost:8443/ as we added the SSL connector to port 8443. If it worked, you should see a Security Alert window. Click Yes to accept the certiciate, the Tomcat main page should now show up with a lock in the status bar. Success!

You should see the Security Alert every time you open a new browser window. This can get annoying, so you can install the certificate so that the browser automatically accepts it. On the Security Alert window, or by double-clicking on the lock, click on Install Certificate and follow the on-screen instructions.

Related Links:

Installing and Configuring SSL Support on Tomcat
Web Services Over SSL - HOW TO