Setting up Apache Tomcat SSL

This week, let's look at setting up Apache Tomcat SSL.

It goes without saying that this is a technical article and we assume you are familiar with tech stuff.

We'll also assume you have a JAVA JKS keystore file already generated. If you don't you can generate a self signed certificate (good for 10 years) using the following command:


keytool -genkey -keyalg RSA -alias tomcat -keystore keystore.jks -validity 3650 -keysize 2048


When you run this command, it will ask you a bunch of questions. The very first question "First and Last Name" is actually asking about your full server name. Also note that the alias for the cert is called "tomcat"

So make sure to type something like "" and not "John Doe". This will generate a keystore file with name keystore.jks. Remember the file location of this keystore.


Tomcat 7 and Tomcat 8 have slightly different configuration setups. Both cases below will setup SSL on port 8443.

Tomcat 7

Add the following block into the server.xml file located in the $TOMCAT_HOME/conf directory
 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true" keyAlias="tomcat" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100"
               keystoreFile="[full path to keystore]" keystorePass="[password of keystore]" debug="5" keystoreType="JKS" SSLEngine="on" SSLVerifyDepth="2"
               clientAuth="false" sslProtocol="TLS"/>

Tomcat 8:

Add the following block into the server.xml file located in the $TOMCAT_HOME/conf directory
 <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200"
 scheme="https" secure="true" SSLEnabled="true"  keystoreFile="[full path to keystore]" 
 keystorePass=[password of keystore]" clientAuth="false" sslProtocol="TLS"/>