Tomcat SSL - How to

[bubba64]

I struggled more than I should have trying to get an SSL certificate installed for HTTPS. So hopefully this will make it easy for anyone else seeking to do so. I bought an SSL certificate from godaddy.com (<$30 for 1 year). Here are the instructions that worked for me.

My Configuration: Tomcat 6.0.18 stand alone web server (your CN name on the certificate MUST match your domain). It is easiest to do all of this on the server you will be running on.

1) Generate your private key (keytool is in your java_home/bin directory):
keytool -genkey -alias tomcat -keyalg RSA

**This will put the key in your .keystore in your home directory (or in Windows--C:\Documents and Settings\<User_name>. Once again, make sure your common name (this is your CN, you are asked for your first and last name) matches your domain you will be using (mydomain.com).

2) Generate the CSR:
keytool -certreq -keyalg RSA -alias tomcat -file your_file_name_here.csr

3) Buy your SSL certficate and you will be asked to copy and paste your CSR.

4) When you have your zip file extracted from GoDaddy, do the following to import the certificate into your keystore (all the .crt files are in the zip file):
   keytool -import -alias root -trustcacerts -file gd_bundle.crt
   keytool -import -alias cross -trustcacerts -file gd_cross_intermediate.crt
   keytool -import -alias intermed -trustcacerts -file gd_intermediate.crt
   keytool -import -alias tomcat -trustcacerts -file www.YourDomain.com.crt

5) Update Server.xml in tomcat\conf folder;
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
  port="443" minSpareThreads="5" maxSpareThreads="75"
  enableLookups="true" disableUploadTimeout="true"
  acceptCount="100" maxThreads="200"
  scheme="https" secure="true" SSLEnabled="true"
  keystoreFile="c:\documents and settings\<user>\.keystore" or wherever you copy it to
  keystorePass="<whatever password you chose when creating your key in the beginning"
  clientAuth="false" sslProtocol="TLS"/>

It was a breeze once I followed these instructions. Make sure you change your HTTPS options in your konakartadmin to match the same port (in my example 443).

Good luck!

[johanmeyer]

hallo
I found your post in google and have to say its the only usefull one I found. I am not sure what I am doibng wrong but I followed your steps by the letter and still get the following error when starting tomcat:

WARNING: Reinitializing ServerSocket
Sep 1, 2009 10:57:04 AM org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket
SEVERE: Endpoint [SSL: ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
   at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:114)
   at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:408)
   at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:71)
   at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
   at java.lang.Thread.run(Thread.java:619)


I am not sure what I am missing or doing wrong and I do hope you can help.

[ecommdev]

I know this has been closed for a while but SSL cert is one of the most painful things when its not going right.

I used the godaddy cert, i think the keytool call required is:

keytool.exe -certreq -sigalg MD5withRSA -alias godaddy -file C:\Users\Administrator.OTL01\godaddy.csr

rather than

keytool -certreq -keyalg RSA -alias tomcat -file your_file_name_here.csr

I prefer to use the alias godaddy for the csr (the request cert) and tomcat for the actual certificate.

Also, another note: If you are looking at clustering, you will probably have your tomcat instances behind something like apache. Therefore apache will handle the ssl, currently apache is unable to pull a cert from a keytool (annoying for security) - in which case there is no point in loading the cert into the keytool. But use the keytool to generate the csr.

Good luck with it,

Andrew

[praveenkr]

Hello,
I purchased the certificate from Godaddy but I am unable to integrate   .

I am getting integration problem  with SSL  certificate  with  application server  Tomcat 6.0.
I followed the  Installing an SSL Certificate in Tomcat 4.x/5.x/6.x

Installation Option Two: Install the SSL Certificate and Intermediate Certificate Separately
Installing Root and Intermediate Certificates  but unable  to  to do that .
getting exception :

SEVERE: Socket accept failed
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

   at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
    at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
    at java.lang.Thread.run(Thread.java:595)

For your Refernce : I am editing in server.xml
<Connector protocol="org.apache.coyote.http11.Http11Protocol"
  port="443" minSpareThreads="5" maxSpareThreads="75"
  enableLookups="true" disableUploadTimeout="true"
  acceptCount="100" maxThreads="200"
  scheme="https" secure="true" SSLEnabled="true"
  keystoreFile="webapps/tomcat.keystore"
  keystorePass="ttadmin"
  clientAuth="false" sslProtocol="TLS"/>

using  following commands....

keytool -import -alias root -keystore c:\tomcat.keystore -trustcacerts -file c:\gd_bundle.crt
keytool -import -alias cross -keystore c:\tomcat.keystore -trustcacerts -file c:\gd_cross_intermediate.crt


keytool -import -alias intermed -keystore c:\tomcat.keystore -trustcacerts -file c:\gd_intermediate.crt
keytool -import -alias tomcat -keystore c:\tomcat.keystore -trustcacerts -file c:\customer.telelogix.net.crt

Please  suggest me ....

Regards,
Praveen