Here’s a step-by-step guide to configuring SSL certificates for Tomcat on Debian:
First, update your package list and install Tomcat (e.g., Tomcat 9) and OpenSSL:
sudo apt update
sudo apt install tomcat9 openssl
You can use OpenSSL to create a self-signed certificate (for testing) or obtain one from a trusted Certificate Authority (CA) like Let’s Encrypt (for production).
Run the following command to generate a 2048-bit RSA key and self-signed certificate valid for 365 days:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /etc/ssl/private/tomcat-selfsigned.key \
-out /etc/ssl/certs/tomcat-selfsigned.crt
localhost for testing).tomcat-selfsigned.key) and certificate (tomcat-selfsigned.crt) are saved in /etc/ssl/.If you have a certificate from a CA (e.g., your_domain.crt and your_domain.key), place them in a secure directory (e.g., /etc/ssl/certs/ and /etc/ssl/private/ respectively).
Tomcat requires SSL certificates to be in a Java Keystore (JKS) or PKCS12 format. Convert your certificate and key into a JKS file:
sudo keytool -import -alias tomcat \
-file /etc/ssl/certs/tomcat-selfsigned.crt \
-keystore /etc/ssl/certs/tomcat-selfsigned.jks \
-storepass your_keystore_password
tomcat).your_keystore_password).If your CA provides a .crt and .key file, first combine them into a PKCS12 file, then import into JKS:
sudo openssl pkcs12 -export \
-in /etc/ssl/certs/your_domain.crt \
-inkey /etc/ssl/private/your_domain.key \
-out /etc/ssl/private/tomcat.pfx \
-name tomcat -CAfile /etc/ssl/certs/ca-bundle.crt \
-caname root
sudo keytool -importkeystore \
-deststorepass your_keystore_password \
-destkeypass your_key_password \
-destkeystore /etc/ssl/certs/tomcat.jks \
-srckeystore /etc/ssl/private/tomcat.pfx \
-srcstoretype PKCS12 \
-srcstorepass your_pfx_password \
-alias tomcat
server.xmlEdit the Tomcat configuration file to enable HTTPS. Open /etc/tomcat9/server.xml in a text editor:
sudo nano /etc/tomcat9/server.xml
Locate the commented-out HTTPS connector (near the bottom of the file) and replace it with:
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="/etc/ssl/certs/tomcat-selfsigned.jks" <!-- Path to your JKS file -->
keystorePass="your_keystore_password" <!-- Keystore password -->
clientAuth="false" <!-- Set to "true" for mutual SSL -->
sslProtocol="TLS" <!-- Use TLS 1.2+ -->
/>
8443 to 443 (default HTTPS port) if you want to avoid specifying the port in URLs.To redirect all HTTP traffic to HTTPS, add a security-constraint to your web application’s web.xml (e.g., /var/lib/tomcat9/webapps/your_app/WEB-INF/web.xml):
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Apply the changes by restarting the Tomcat service:
sudo systemctl restart tomcat9
Open a browser and navigate to:
https://your_server_ip:8443 (you’ll see a security warning—ignore it for testing).https://your_domain.com (no warning if the certificate is valid).Check for the padlock icon in the address bar, indicating a secure connection.
If you’re using UFW (Uncomplicated Firewall), allow HTTPS traffic:
sudo ufw allow 8443/tcp # For port 8443
# OR
sudo ufw allow 443/tcp # For port 443 (default HTTPS)
8443) is open in your firewall.server.xml. Use keytool -list -keystore /path/to/keystore.jks to verify the keystore contents.By following these steps, you’ll successfully configure SSL for Tomcat on Debian, enabling encrypted communication between clients and your server.