September 2011
« Aug   Oct »

How do I install wildcard SSL installed on Tomcat

It’s possible to install SSL on for java application server in two ways if were use Tomcat.

1. Use Apache http server as primary server and let it serve the tomcat request over the AJP connector. This option is suitable for a host which is hosting different platform like php,ruby etc.

2. Let tomcat to setup a primary server which would be run at the port 80 (easy way)
Adjust the server.xml to listen on port 80 and 443

 <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000"  redirectPort="443" />
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"  />

I go with the option 2 here

A. Preparing Private key and CSR generation
I’m using Godaddy wild card supported SSL certificate and Godaddy providing excellent tutorial for the reference.

Here we go,

I created a folder folder holding all the ssl related files inside the tomcat folder.

#mkdir /opt/apache-tomcat-7.0.2/conf/ssl
#cd /opt/apache-tomcat-7.0.2/conf/ssl

a. Creating key store file like private key

#keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

It will asks following details,

First and last name : This will be the domain name the certificate to be issue rather than giving your name.

If you are using standard SSL, enter “” pls don’t forget to add “www” prefix. If you were issuing wild card SSL, use “*” note “*.” suffix append to your domain name.

Organizational unit : Your Organization unit
Organization : Your Organization Name
City/Locality : You city
Country code : Two digit country code
It will ask for a pass phase : provide a password and leave it as empty at the last prompt. Pls note this password because you will prompt every time when you touch this file (tomcat.keystore)

b. Generating CSR

# keytool -certreq -keyalg RSA -alias tomcat -file mydomain.csr -keystore tomcat.keystore

: Replace it with your domain name.

#vi mydomain.csr

Now open the file “mydomain.csr” and copy the content on the Godaddy’s CSR enrollment form and click on submit button. Ensure that the domain name shown on the Godaddy is correct.

This process may take few hours to complete as it’s require domain verification.

C. Installing SSL certificates.
You will see there are 4 certificates provided from Godaddy once you downloaded.

[ec2-user@domU-12-31-38-01-B8-14 ]$ ls  gd_cross_intermediate.crt
gd_bundle.crt        gd_intermediate.crt

a. Now we need to install gd_cross_intermediate and gd_intermediate to the keystore file. The following command will help us to do it.

#keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt
#keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt

Finally we are going to install our domain certificate to keystore files.

#keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file

Now all the contents/certs are added in a single key store file ( here tomcat.keystore)

Next thing is to tuneup Tomcat webserver to handle the SSL install.

 #vi /opt/apache-tomcat-7.0.2/conf/server.xml

Find the line start with “

   <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/apache-tomcat-7.0.2/conf/ssl/tomcat.keystore" keystorePass="mypass"  />

Pls note here I changed the ssl port to 443 rather than default 8443.

Now it’s the time to restart the server and verify the install.

My Virtual host entry in server.xml is

 <Host name=""  appBase="/websites/"
            unpackWARs="true" autoDeploy="true">
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="mydomain.com_access_log." suffix=".txt"
               pattern="%h %l %u %t &quot;%r&quot; %s %b" resolveHosts="false"/>

1 comment to How do I install wildcard SSL installed on Tomcat

  • I followed the steps but It doesn’t worked, when I open the browser and I want to check out the certificate, In the seccion “issued by” and “issued to” , has the same information of my company. I expected that the “issued by”‘s section had the name of the Certification Authority(CA). Any Idea? … thank in advance for your consideration.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>