Tomcat SSL Administration on Windows

Introduction

When ordering an SSL certificate, you must provide a Certificate Signing Request (CSR), which is generated from a private key.

If you prefer to create the private key yourself and generate the CSR locally, please follow the CSR Generation section, followed by SSL Certificate Installation.

Alternatively, if you select our CSR service during the ordering process, we will generate the private key and CSR for you. You will then receive the certificate and key securely as a combined .PFX file. In this case, follow the Installation via PFX file section.

In addition to installing the certificate, you must ensure the HTTPS connector is active in your configuration and assigned to the correct port (e.g., 443).

All directory paths in this guide refer to a standard installation. If your server environment differs, please adjust the paths accordingly.

To identify your current installation details, follow these steps:

1. Run the following command to find the versions of your OS, Tomcat, and JVM:

c:\tomcat\bin\version.bat

2. Create a certificates directory to store your certificates and keystore files:

mkdir c:\tomcat\certificates

CSR Generation

In this example, we use a single DNS name suitable for both standard and SAN certificates. For a wildcard certificate, the Common Name must be *.fairssl.dk

To complete the order and generate the CSR, you will need the following information:

• Common Name (CN): The primary fully qualified domain name (FQDN). E.g.: www.fairssl.dk
• Organization Name (O): The full legal name of your company. E.g.: FairSSL ApS
• Organizational Unit (OU): The department using the certificate. Avoid names that could be confused with other companies. It is often recommended to leave this blank or use the company name. E.g.: FairSSL ApS
• Locality (L): The city. E.g.: Oerum Djurs
• State (S): The state, province, or county. E.g.: Norddjurs
• Country (C): The ISO-standard two-letter country code in uppercase. E.g.: DK

Please note that Java Keytool does not handle special characters (such as Æ, Ø, Å) correctly; please use AE, OE, or AA instead.

Creating the Keystore

1. Create a keystore file by running the following command:

If you already have a keystore, you can use its existing path and password.

• alias: A memorable name for the certificate, such as the DNS name.
• password: Create a password for the keystore file. If left blank, the default password is: changeit

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -genkey -alias www.mydomain.dk -keyalg RSA -keysize 2048 -keystore c:\tomcat\certificates\keystore

Enter the information gathered in the CSR Generation section.

First and last name: Enter the Common Name here.

At the Enter key password for prompt, it is critical to leave this blank by pressing Enter. Tomcat requires the keystore password and the key password to be identical.

Creating the CSR

1. To create a CSR, use the alias established when the keystore was created.

Run the following command using your keystore password:

• alias: The alias you wish to use for the CSR.
• keystore: The path and name of the keystore file.
• file: The destination path and filename for the CSR.

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -certreq -keyalg RSA -keysize 2048 -alias www.mydomain.dk -keystore c:\tomcat\certificates\keystore -file c:\tomcat\certificates\www.mydomain.dk.csr

2. Open the CSR file with your preferred text editor (e.g., notepad www.fairssl.dk.csr).

Copy the entire text block, including the start and end dashes.

Paste this text into the CSR field during the certificate order process.

The following image shows an example of a complete CSR:

SSL Certificate Installation

1. Import the intermediate certificate into the keystore file:

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -import -alias root -keystore c:\tomcat\certificates\keystore -trustcacerts -file c:\tomcat\certificates\intermediate.crt

2. Import your server certificate into the keystore file:

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -import -alias www.mydomain.dk -keystore c:\tomcat\certificates\keystore -file c:\tomcat\certificates\www.mydomain.dk.crt

3. Restart the Tomcat service.

Installation via PFX file

Tomcat 5 and later support the use of PKCS#12 (.PFX) files directly in the configuration.

If this method fails, follow the Converting PFX to Keystore section (requires JVM 1.6+).

1. Place your PFX file in c:\tomcat\certificates

2. Open the server.xml file with a text editor:

3. notepad c:\tomcat\conf\server.xml

4. Enter the following configuration, adjusting values to match your server:

• hostName: The DNS name of your website.
• certificateKeystoreFile: The path to your PFX file.
• keystorePass: The password for the PFX file. If you used our CSR service, this was sent via SMS.

hostName="www.mydomain.dk"

maxThreads="200"

scheme="https"

secure="true"

SSLEnabled="true"

Protocols="TLSv1,TLSv1.1,TLSv1.2"

clientAuth="false">

keystorePass="MyPassWord"

keystoreType="PKCS12" />

5. Restart the Tomcat service.

Converting PFX to Keystore

1. If you have an existing keystore, back it up using the following command:

move c:\tomcat\certificates\keystore c:\tomcat\certificates\keystore.bak

2. If you used our CSR service, the alias will typically be something like fairssl-2018. You can keep this or change it to something more descriptive.

Run the following command to list the aliases within the PFX file:

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -list -keystore c:\tomcat\certificates\www.mydomain.dk.pfx

3. Import the PFX file into a new keystore with the following command:

• srckeystore: The path to the PFX file.
• srcalias: The alias identified in step 2.
• srcstorepass: The PFX file password.
• destkeystore: The path for the new JKS keystore file.
• destalias: The desired alias in your new keystore.
• deststorepass: The password for the new keystore.
• destkeypass: Must be identical to deststorepass.

"c:\Program Files\Java\jdk1.8.0_181\bin\keytool.exe" -importkeystore -srckeystore c:\tomcat\certificates\www.mydomain.dk.pfx -srcalias fairssl-2018 -srcstoretype PKCS12 -srcstorepass myPassword -destkeystore c:\tomcat\certificates\keystore -deststoretype JKS -destalias www.mydomain.dk -deststorepass keystorePassword -destkeypass keystorePassword

4. Restart the Tomcat service.

Configuring server.xml

1. Open the server.xml file with a text editor:

notepad c:\tomcat\conf\server.xml

2. Configure the HTTPS connector with the following settings, tailored to your server:

• hostName: The DNS name of your website.
• certificateKeystoreFile: The path to your JKS keystore.
• keystorePass: The password created for the keystore file.

hostName="www.mydomain.dk"

maxThreads="200"

scheme="https"

secure="true"

SSLEnabled="true"

Protocols="TLSv1,TLSv1.1,TLSv1.2"

clientAuth="false">

keystorePass="MyPassWord"

keyAlias="www.mydomain.dk"

type="RSA" />

3. Restart the Tomcat service.

Intermediate Certificates

Intermediate certificates for various authorities can be found here.

We recommend using the intermediate certificate provided with your order. You should only download from here if the original is lost, as the provided file is guaranteed to be correct for your specific server certificate.

Intermediate Certificates