DEV Community

Orestis Pantazos
Orestis Pantazos

Posted on • Updated on

🔑 Self-signed SSL certificate in Tomcat

#devops #opensource

Self-signed SSL certificate and add into Java truststore.

Step 1:

Generate the SSL certificate by running the following command

$ keytool -genkey -keyalg RSA -alias tomcat -keystore selfsigned.jks -validity 365 -keysize 2048

  • The number of days that indicates 365 is for which the certificate will be valid.
  • The selfsigned.jks is the key store file.
  • The aforementioned command exports the certificate that alias is tomcat.

By default, the key store password is set to changeit; you can use the keytool utility -storepasswd option to change it to something more secure.

Step 2:

The aforementioned command has some default sets, and also prompts the developer to enter additional information as shown below:

What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  Open DevOps
What is the name of your organization?
  [Unknown]:  opendevops.dev
What is the name of your City or Locality?
  [Unknown]:  Athens
What is the name of your State or Province?
  [Unknown]:  Attiki
What is the two-letter country code for this unit?
  [Unknown]:  GR
Is CN=localhost, OU=Profile Software, O=profilesw.com, L=Athens, ST=Greece, C=GR correct?
  [no]:  yes
Enter fullscreen mode Exit fullscreen mode

Step 4:

Verify the contents of keystore by running the given command

$ keytool -list -v -keystore selfsigned.jks

  • The keytool utility -list option lists the contents of a specified key store file.
  • The -v option tells the keytool utility to display certificate fingerprints in human-readable form.

Step 5:

Import the certificate into your application’s trust store. The keytool utility -import option installs a certificate from a certificate file in a specified trust store.

$ keytool -import -noprompt -trustcacerts -alias tomcat -file selfsigned.cer -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -storepass changeit

Step 6:

The certificate is already completed and can be used by Apache Tomcat server container by using the following configuration

<Connector port="8080" protocol="HTTP/1.1"
           redirectPort="443"
           disableUploadTimeout="false"/>
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           keystoreFile="selfsigned.jks" keystorePass="<password>"
           clientAuth="false" acceptCount="100"/>
Enter fullscreen mode Exit fullscreen mode

Step 7:

SSL port of the current instance is already for connection in https://localhost:443/.

https://www.opendevops.dev/self-signed-ssl-certificate-in-tomcat/

Top comments (2)

Collapse
 
satinder2000 profile image
satinder-2000

I ran the instructions above but got stuck-

In step 4 we ran command to generate a selfsigned.jks keystore but in the next step (5), we are using the selfsigned.cer file.

Nevertheless, I tried to import the generated selfsigned.jks but got a
keytool error: java.lang.Exception: Input not an X.509 certificate

Please advise.

Collapse
 
cygnustx profile image
CygnusTX

I know your question was 'forever' ago but some will have this question. The missing step, let's call it Step pre-5, is:

keytool -exportcert -file selfsigned.cer -keystore selfsigned.jks -alias tomcat

Read next

hirushafernando profile image

Automate Docker Image Building , Tagging And Publishing With Github Actions

Hirusha Fernando -

bekahhw profile image

What I learned from 29 Days of OSS Alternatives

BekahHW -

anmolbaranwal profile image

21 AI Tools that are changing the World

Anmol Baranwal -

saranshk profile image

Node.js 20.6 adds built-in support for .env files

saransh kataria -