This document describes how to generate and install keys in Tomcat.
Use keytool distributed with your Java SDK:
Using the Java JDK Tool, Keytool:
Go into the JDK/bin/ directory and make sure that you have keytool.exe (c:\j2sdk1.4.2\bin) then add c:\PathToJavaSDK\bin to your PATH variable
Create a new folder c:\tomcat-ssl, open command prompt (via Start-Run and type in "cmd") then type in cd \tomcat-ssl
Step 1: Generate a keystore and keyentry (= Private Key):
keytool -genkey -keyalg RSA -alias tomcat -keystore .keystore
Enter keystore password: changeit
By default Tomcat will expect password to be "changeit". If you choose a different password you will have to make an additional change in Step 7.
What is your first and last name?
[Unknown]: www.mydomain.com (example)
What is the name of your organizational unit?
[Unknown]: Thawte testing (example)
What is the name of your organization?
[Unknown]: Thawte Testing (example)
What is the name of your City or Locality?
[Unknown]: Cape Town (example)
What is the name of your State or Province?
[Unknown]: Western Province (example)
What is the two-letter country code for this unit?
[Unknown]: ZA (example)
Is CN= www.mydomain.com , OU= Thawte testing , O= Thawte Testing , L= Cape Town , ST= Western Province , C= ZA correct?
[no]: yes
Enter key password for <tomcat>
(RETURN if same as keystore password) Just press enter here...
NOTE: Please specify the same password for the keystore and the keyEntry or else you will receive the following error message when you restart the jakarta engine: java.security.UnrecoverableKeyException: Cannot recover key
Note, that a keystore was created.
Please run: keytool -list -keystore [keystorename] to make sure you can read the keystore file.
The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.
Step 2: Backup Keystore file:
1. Access the directory which the keystore was saved to.
Note: The default name, for the keystore is .keystore, if none was provided.
2. Make a copy of the .keystore file, preferably to a removable disk, in case of a system crash.
Important: Make a note of the password which was set for the .keystore file when it was generated. "changeit" by default
Step 3: Generate a CSR off the newly create keystore and keyentry:
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore .keystore
Enter keystore password: changeit
The CSR will be saved to your c:\tomcat-ssl directory:
-----BEGIN NEW CERTIFICATE REQUEST-----
and
-----END NEW CERTIFICATE REQUEST-----
Step 4:
Send the CSR file to your certificate authority (CA). Many organizations offer CA services, Verisign, Thawte and Equifax are just a few most popular.
If you want to use a self signed SSL certificate, you can skip this step and proceed to step 7.
Self signed certificate will always display a warning to the end user that the certificate is not valid.
Self signed SSL certificate will also affect some Java web applications including UnlimitedFTP Servlet, Files2U and Doctera.
Step 5:
When you receive the certificate save the Thawte signed Certificate in a notepad file named 'mythawtcert' for example.
Please remember to download the Certificate in PKCS#7 format
Step 6: Import the Certificate into the keystore:
keytool -import -alias tomcat -trustcacerts -file mythawtecert.txt -keystore .keystore
Step 7: Edit the Tomcat Configuration
file.
Tomcat keeps its configuration information in the <Tomcat
Folder>\conf\server.xml file, make sure that port 443 is
not already in use and that it is enabled on your firewall.
Using a text editor open server.xml.
For Tomcat 4.1.XX the lines that you will
have to change are around line 100. Locate the following text:
<!-- Define a SSL Coyote HTTP/1.1
Connector on port 8443 -->
On the next line paste the following
text:
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="443" enableLookups="true" scheme="https"
secure="true"
acceptCount="100"
useURIValidationHack="false" disableUploadTimeout="true"
clientAuth="false" sslProtocol="TLS"><Factory
className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
clientAuth="false" protocol="TLS" keystoreFile="/Path/to/keystore"
keystorePass="changeit" /> </Connector>
Fot Tomcat 6, you will have to add the following text to server.xml:
<!-- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
port="443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/Path/To/keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
<!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/Path/To/keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Specify the path to your keystore file
in keystoreFile="c:\tomcat-ssl\.keystore" If your keystore
password is anything else then "changeit" you will also have
to change keystorePass="changeit" in the factory element.
If you want to change the https port, modify port="443".
Additional notes: In case if you need to start over, you will have to first delete your existing tomcat keyentry. To do that use the following command:
keytool -delete -alias tomcat -keystore .keystore |
