Tomcat, developed by the Apache Software Foundation, is a popular open-source web server that allows you to execute Java servlets and create web pages with Java Server Page coding. For many people, it isn’t just reliable.
It also offers unmatched versatility for hosting web applications. For securing your Tomcat server with SSL/TLS encryption, you also enjoy the advantage of flexibility compared to other servers.
Comodo SSL certificates are famed for their robust security features. They offer 256-bit strong encryption strength and a 2048-bit RSA signature key. And what’s more, they’re trusted by 99.9% of mobile and web browsers.
Steps to Install an SSL/TLS Certificate in Tomcat
To install an SSL/TLS Certificate in Tomcat, you will need your Certificate Signing Request (CSR) ready. Here are two ways for creating a CSR in Tomcat;
1. Using a Keytool
- Step 1: create a new keystore using the keytool command: Make sure the java/bin/ directory is added to your PATH before running the keytool command. See this example:

You should be prompted to enter a password for the keystore. The password you set should not just be hard to guess. It should also be easy for you to remember. You can simplify the process with a good password manager.
- Step 2: Organization details: After that, you’ll need to provide some organization details, like your first and last name (which represents the Common Name or Domain Name), organizational unit name, organization name, city or locality, state or province, and the two-letter country code. Enter ‘y’ or ‘yes’. This confirms that the information you provided is correct. Wrap all that by confirming your password once again.
2. Using a Command
Instead of all CSR Generation instructions and prompts, you can just run the command below:

- Next, run the command below to create the CSR using the keytool command:

- Enter the keystore password you chose when creating the keystore. Your CSR will be generated. It should be saved in a file named DOMAIN.CSR if you enter the correct password.
Installation Instructions:
- Step 1: download the Certificate from the CA: Begin by downloading the certificate file provided by your CA, Comodo. Save the downloaded file the same directory you saved your keystore when generating the CSR.
- Step 2: Install the Root Certificate: To install the Root certificate to your keystore, enter the following command, replacing “ROOTCERTFILENAME.CRT” with the actual filename:

When prompted, enter the keystore password you chose during keystore creation. You’ll be asked if you want to add the certificate to your own keystore. Select “Yes”. You should receive a confirmation message for successful installation after that.
- Step 3: Install Intermediate Certificates: If you have received intermediate certificates from the CA, install them using the following command:

Repeat this step for each intermediate certificate, ensuring they are installed in numerical order.
- Step 4: Install the Primary Certificate: Install the primary certificate for your domain using the following command:

You should receive a confirmation message for successful installation. At this point, your keystore should have all the certificates successfully installed.
- Step 5: Configure the SSL Connector: To enable secure connections in Tomcat, you need to configure an SSL Connector. You can do this is two ways:
Option 1: Editing the server.xml file
- Open the server.xml file located in your Tomcat’s home directory folder using a text editor. Once opened, locate the connector you want to secure (typically the one with port 443 or 8443).
- If necessary remove the comment tags (<!– and –>) to uncomment SSL connection configuration
- . After that, update the connector configuration with the correct keystore filename and password.
- Save the changes in the server.xml file.
Option 2: Use Tomcat admintool
- Start Tomcat and access the Tomcat admintool via http://localhost:8080/admin. Enter the username and passwords for your admin details.
- In the left pane, choose “service” and then select “Create New Connector” from the right-side drop-down list.
- Choose “HTTPS” as the type.
- Enter the desired port number (443 or 8443).
- Provide the keystore name and password (if different from default values) and save the new Connector and commit the changes.
- Step 6: restart Tomcat: This is necessary for the changes to take effect.
And that’s it! You have successfully installed your SSL certificate. To verify if SSL is installed correctly on your Tomcat server, try these two options:
- Visiting your website: Using “https://” in the URL and check for the padlock icon or “Secure” label in the browser’s address bar.
Using tools: Use an online SSL checker tool to validate your SSL certificate and verify the proper installation of SSL/TLS on your server.
