A Step-By-Step Guide to Securing a Tomcat Server With LetsEncrypt SSL Certificate

Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.

If you’re using Apache Tomcat as a Server for your web-application , chances are that at least some of the data you’re handling is sensitive, and SSL is an easy way to offer your users security. But the configuration process and SSL itself can be a little confusing for first-time users.

There are many CA from which you can get a certificate, but almost all of them will cost you money. But, with Let’s Encrypt you can get a valid SSL certificate for your domain at no cost.

This guide will break down the messy process of installing a SSL certificate for tomcat server into easily understandable pieces:

Step 1 — Prerequisites

Before starting work on this task, I assume you already have:

  • Running Centos system with sudo privileges shell access.
  • A domain name registered and pointed to your server’s public IP address. For this tutorial, we use example.com and www.example.com, which is pointed to our server.
  • Recent version of JAVA installed.
  • Recent version of tomcat server installed in your .
  • Have port 80 and 8443 open in your firewall.
  • Have Openssl installed.

Step 2— Install Certbot

The certbot package is provided by EPEL. If the EPEL repository is not installed on your system, you can install it using the following command:

sudo yum install epel-release

Once the EPEL repository is enabled, install the certbot package by typing:

sudo yum install certbot

If you have an active firewall, e.g firewalldopen https port on the firewall.

# firewall-cmd --add-service https --permanent
# firewall-cmd --reload

Step 3—Generate keypair and get certificate against the domain using Certbot

Once the LetsEncrypt (CA) verifies the authenticity of your domain, SSL certificate will be issued. For generating keypair and getting a SSL certificate against that keypair for your domain we need to type the following command:

sudo certbot certonly --standalone -d www.example.com

If everything goes fine. A new ssl will be issued at below location. Navigate to below directory and view files.

cd /etc/letsencrypt/live/example.com

Files List:


Step 4 — Convert keypair + certificate to Java Keystore

At first create a PKCS12 that contains both your full chain and the private key. You need to have openssl installed for that.

openssl pkcs12 -export -out /tmp/example.com_fullchain_and_key.p12 \
-in /etc/letsencrypt/live/example.com/fullchain.pem \
-inkey /etc/letsencrypt/live/example.com/privkey.pem \
-name tomcat

Then convert that PKCS12 to a JKS, using java`s keytool

keytool -importkeystore \
-deststorepass samplePassword -destkeypass samplePassword -destkeystore /tmp/example.com.jks \
-srckeystore /tmp/example.com_fullchain_and_key.p12 -srcstoretype PKCS12 -srcstorepass samplePassword \
-alias tomcat

Replace samplePassword with your password

Step 5— Configure Tomcat with the Java Keystore

Now go to your tomcat application and open your server.xml file

# vim /etc/tomcat/conf/server.xml

Ensure the following section is commented out

<Connector port="8080" protocol="HTTP/1.1"
redirectPort="8443" />

Configure connector to use a shared thread pool

<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
redirectPort="8443" />

Next is to define SSL HTTP/1.1 Connector on port 8443

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />

With above configuration, http to https redirect will be done automatically for the application.

Now just Stop and Start Apache Tomcat and you are done.

Your tomcat server along with all the application that runs on it is ssl secured.


Mahdi Mashrur Matin, CA Manager, BGD e-GOV CIRT