Move the certificate .pfx
file to your Tomcat install directory (by default, this is C:\Program Files(x86)\Apache Software Foundation\Tomcat X.X
on 64-bit Windows Server systems or C:\Program Files\Apache Software Foundation\Tomcat X.X
on 32-bit systems).
Open the Conf folder in the Tomcat install directory and locate the Server.xml file. Edit this file using a text editor (such as Notepad ++).
<Connector
after </Engine
in Server.xml (for example when you perform a new instalation of Apache Tomcat), copy the following string into the Server.xml after </Engine
(use you values for keystoreFile
, keystorePass
, and keystoreType
):<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat_folder\certificate_file.pfx" keystorePass="Secret_Password_123" keystoreType="PKCS12" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA"/>
If <Connector
is present after </Engine
in Server.xml (for example when you restore Server.xml after Apache Tomcat upgrade), replace the values of parameters listed below with your values:
- Provide full path to the certificate file (
keystoreFile .pfx, .keystore
, or other).
- Provide certificate passphrase.
keystorePass keystoreType
- Specify the certificate type.
To use a secure HTTPS/SSL connection for ERA Web Console, follow the steps below:
C:\Program Files (x86)\Java\jre1.8.0_40in
and then run the command):keytool.exe -genkeypair -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
keytool -genkeypair -alias "tomcat" -keyalg RSA -keysize 4096 -validity 3650 -keystore "/etc/tomcat/tomcat.keystore" -storepass "yourpassword" -keypass "yourpassword" -dname "CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"
The file path /etc/tomcat/tomcat.keystore
is only an example, choose your own secure and accessible destination.
keytool.exe -certreq -alias tomcat -file "C:\Install\Tomcat\tomcat.csr" -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" -ext san=dns:ERA6-2008R2
keytool -certreq -alias tomcat -file "/etc/tomcat/tomcat.csr" -keystore "/etc/tomcat/tomcat.keystore" -ext san=dns:ERA6-2008R2
tomcat.cer
) into your keystore. Below is a sample command that imports a signed certificate into the keystore:keytool.exe -import -alias tomcat -file "C:\Install\Tomcat\tomcat.cer" -keystore "C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore"
keytool -importcert -alias tomcat -file "/etc/tomcat/tomcat.cer" -keystore "/etc/tomcat/tomcat.keystore"
If you want to use an already existing certificate (for example company certificate), follow these instructions.
server.xml
configuration file so that tag is written similar to the example below:<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:\Program Files (x86)\Apache Software Foundation\Tomcat 7.0\tomcat.keystore" keystorePass="yourpassword" keyAlias="tomcat"/>
This modification also disables non-secure tomcat features, leaving only HTTPS enabled (scheme=
parameter). For security reasons, you may also need to edit tomcat-users.xml
to delete all tomcat users and change ServerInfo.properties to hide the identity of the tomcat.
<Connector server="OtherWebServer" port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/etc/tomcat/tomcat.keystore" keystorePass="yourpassword" keyAlias="tomcat"/>
sudo service tomcat restart
Note that some distributions use service name tomcat7
.