Install a Tomcat certificate
PREAMBLE: the following instructions are only applicable to Tomcat that have been compiled with JSSE. Recent versions of Tomcat can be using Apache APR library: In that case follow the instructions for Apache (Install an Apache certificate). To know if you are using APR search for the "TOMCAT/bin/tcnative-1.dll" dll under Windows, the "libtcnative-1.so.0.1.12" libraries under Linux and "libapr-1.so.0.3.3" in "TOMCAT/native/lib". If so, APR is available.
1- Retrieve your certificate on your server
Download the overall file (.p7b) indicated in the delivery mail and save it on your desktop.
2- Import the certificate
To install your certificate in your Keystore:
- Use the same machine (and the same directory) you did to request your certificate.
- Import the certificate:
keytool -import -alias [alias name, usually "tomcat"] -file [p7-0000000000-0000.p7b] -keystore [storage name]
IMPORTANT: Provide the same alias name you did in your certificate request and use the same keystore name as well.
A warning will tell you your certificat cannot be verified. Accept it and the certificate will be correctly imported without the root.
A "-trustcacerts" parameter exist and is sometimes recommended for the import. It is important to note that adding it will add the root certificate to the keystore. This can cause issues with certification chains.
3- Activate SSL
Edit the server.xml file of your server. Spot the comment section of your file and complete it as explained under here:
With Tomcat 4
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="false" acceptCount="10" connectionTimeout="60000" debug="0" scheme="https" secure="true"> <Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="FULL-PATH+KEYSTORENAME" keystorePass="KEYSTORE-PASSWORD" /> </Connector>
With Tomcat 5
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; clientAuth="false" sslProtocol="TLS" keystoreFile="FULL-PATH+KEYSTORENAME" keystorePass="KEYSTORE-PASSWORD" />
With Tomcat 6 to 9
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="FULL-PATH+KEYSTORENAME" keystorePass="KEYSTORE-PASSWORD" />
With Tomcat - APR / Apache mode
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="${catalina.base}/conf/localhost.crt" SSLCertificateKeyFile="${catalina.base}/conf/localhost.key" SSLCertificateChainFile="${catalina.base}/conf/chain-localhost.txt" />
With Tomcat and a PKCS12
This feature is available starting with version 5.5.
If you generate a PKCS12 (.pfx) from a Microsoft server, you can use it in your Tomcat this way:
<Connector port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="WHOLE-PATH+PFX-NAME" keystorePass="PFX-PASSWORD" keystoreType="PKCS12" />
Disable SSLv2/SSLv3 on Tomcat
<Connector SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />
Or for older JDK versions: <Connector SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" /> It might instead be necessary to use the following syntax: <Connector sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1" /> Or for especially early versions of Tomcat 6: <Connector sslProtocol="TLS" protocols="TLSv1.2,TLSv1.1,TLSv1" />
Enhance used ciphers quality
For a better security level, we recommend the use of particular ciphers in order to encipher your communications more efficiently while keeping a high compatibility with browsers. To do so, add the following configuration to your connector:
<Connector ciphers="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" />
4- Run a test
Check the access of your website's secured pages with IE 6 and Firefox.
You can also use our test tool: CoPiBot available from your certificate's status page. To do so, click on the "Check your certificate" button.
Frequent errors
- java.lang.Exception: Input not an X.509 certificate
- Your site has compatibility issues because elements from the certification chain are missing
Internal documentation
- Keytool
- Create a JKS (Java, Tomcat, ...) from a PKCS12 or a PFX (Windows)
- Create a PKCS12 (PFX / P12) from a JKS / keystore JAVA
- Add an intermediate certificate to a Keystore
- Delete a certificate from a keystore with keytool