Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Install a Tomcat certificate

PREAMBLE: the following instructions are only applicable to Tomcat that have been compiled with JSSE. Recent versions of Tomcat can be using Apache APR library: In that case follow the instructions for Apache (Install an Apache certificate). To know if you are using APR search for the "TOMCAT/bin/tcnative-1.dll" dll under Windows, the "libtcnative-1.so.0.1.12" libraries under Linux and "libapr-1.so.0.3.3" in "TOMCAT/native/lib". If so, APR is available.

1- Retrieve your certificate on your server

Download the overall file (.p7b) indicated in the delivery mail and save it on your desktop.

2- Import the certificate

To install your certificate in your Keystore:

  1. Use the same machine (and the same directory) you did to request your certificate.
  2. Import the certificate:
    keytool -import -alias [alias name, usually "tomcat"] -file [p7-0000000000-0000.p7b] -keystore [storage name]
    
    IMPORTANT: Provide the same alias name you did in your certificate request and use the same keystore name as well.

A warning will tell you your certificat cannot be verified. Accept it and the certificate will be correctly imported without the root.

A "-trustcacerts" parameter exist and is sometimes recommended for the import. It is important to note that adding it will add the root certificate to the keystore. This can cause issues with certification chains.

3- Activate SSL

Edit the server.xml file of your server. Spot the comment section of your file and complete it as explained under here:

With Tomcat 4

<Connector
     className="org.apache.coyote.tomcat4.CoyoteConnector"
     port="8443" minProcessors="5"
     maxProcessors="75"
     enableLookups="false"
     acceptCount="10"
     connectionTimeout="60000" debug="0"
      scheme="https" secure="true">
   <Factory
     className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
            clientAuth="false" protocol="TLS"
            keystoreFile="FULL-PATH+KEYSTORENAME"
            keystorePass="KEYSTORE-PASSWORD" />
   </Connector>

With Tomcat 5

<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
          port="8443" minProcessors="5" maxProcessors="75"
          enableLookups="true" disableUploadTimeout="true"
          acceptCount="100" debug="0" scheme="https" secure="true";
          clientAuth="false" sslProtocol="TLS"
          keystoreFile="FULL-PATH+KEYSTORENAME"
          keystorePass="KEYSTORE-PASSWORD" />

With Tomcat 6 to 9

<Connector protocol="org.apache.coyote.http11.Http11Protocol"
          port="8443" minProcessors="5" maxProcessors="75"
          enableLookups="true" disableUploadTimeout="true" 
          acceptCount="100"  maxThreads="200"
          scheme="https" secure="true" SSLEnabled="true"
          keystoreFile="FULL-PATH+KEYSTORENAME"
          keystorePass="KEYSTORE-PASSWORD" />

With Tomcat - APR / Apache mode

<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
SSLCertificateFile="${catalina.base}/conf/localhost.crt"
SSLCertificateKeyFile="${catalina.base}/conf/localhost.key"
SSLCertificateChainFile="${catalina.base}/conf/chain-localhost.txt"
/>

With Tomcat and a PKCS12

This feature is available starting with version 5.5.

If you generate a PKCS12 (.pfx) from a Microsoft server, you can use it in your Tomcat this way:

<Connector 
          port="8443" minProcessors="5" maxProcessors="75"
          enableLookups="true" disableUploadTimeout="true" 
          acceptCount="100"  maxThreads="200"
          scheme="https" secure="true" SSLEnabled="true"
          keystoreFile="WHOLE-PATH+PFX-NAME"
          keystorePass="PFX-PASSWORD" 
          keystoreType="PKCS12" />

Disable SSLv2/SSLv3 on Tomcat

<Connector 
          SSLProtocol="TLSv1+TLSv1.1+TLSv1.2" />
Or for older JDK versions:
<Connector 
          SSLProtocol="TLSv1,TLSv1.1,TLSv1.2" />
It might instead be necessary to use the following syntax:
<Connector 
          sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"  />
Or for especially early versions of Tomcat 6:
<Connector 
          sslProtocol="TLS" protocols="TLSv1.2,TLSv1.1,TLSv1"  />

Enhance used ciphers quality

For a better security level, we recommend the use of particular ciphers in order to encipher your communications more efficiently while keeping a high compatibility with browsers. To do so, add the following configuration to your connector:

<Connector 
          ciphers="TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,
                        TLS_RSA_WITH_AES_128_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
                        TLS_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
                        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
                        TLS_RSA_WITH_AES_256_CBC_SHA,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
                        TLS_RSA_WITH_AES_256_CBC_SHA256,
                        TLS_RSA_WITH_AES_256_GCM_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
                        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" />

4- Run a test

Check the access of your website's secured pages with IE 6 and Firefox.
You can also use our test tool: CoPiBot available from your certificate's status page. To do so, click on the "Check your certificate" button.

Frequent errors

Internal documentation

External links