Points To Remember

  • You need to have a SSL certificate o run an application/ server on https.
  • You can create a SSL certificate using keytool.
  • The keystore file for Java is available in Java/jre/lib/security/cacerts.
  • Default password of the keystore is "changeit".

Create a Keystore

You can make a SSL certificate by following the steps below.
  1. Open a Command-line or Terminal window and make sure you're in your home directory.
  2. Execute the following command in the terminal
    keytool -genkey -alias tomcat -keyalg RSA -validity 365
    NOTE, the validity parameter allows you to specify, in the number of days, how long the certificate should be valid for. The longer the time period, the less likely you are to need to recreate it. To recreate it, you'd need to delete the old one and then follow these instructions again.
  3. The response will look something like this:
    Enter keystore password: 
    Re-enter new password:
    What is your first and last name?
    [Unknown]: $MACHINE_NAME
    What is the name of your organizational unit?
    [Unknown]: Test
    What is the name of your organization?
    [Unknown]: Test
    What is the name of your City or Locality?
    [Unknown]: Test
    What is the name of your State or Province?
    [Unknown]: Test
    What is the two-letter country code for this unit?
    [Unknown]: US
    Is CN=$FULL_MACHINE_NAME, OU=Test, O=Test, L=Test, ST=Test, C=IN correct?
    [no]: yes
    For the keystore password you should enter "changeit" without the quotation marks.
The above steps will successfully create a keystore file by name .keystore in the home directory.

Create a Server Certificate 

Any application that wishes to securely connect to the Tomcat instance would need to import the certificate. You can export the certificate that's compatible with other JVM keystores by executing the following command:
keytool -export -alias tomcat -file server.crt

Adding Server Certificate to JVM keystore

You will now have to import the server.crt file created in the last step to the jvm's keystore, you can do it by following command.
keytool -import -file server.crt -keystore $JAVA_HOME/jre/lib/security/cacerts -alias tomcat
You need to provide the password of your keystore( default password is "changeit") to successfully import the server.crt file to the jvm cacerts.

Useful Command for using keystore.

  1. Check all the certificates added to the keystore.
    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts -v
  2. Delete any certificate from keystore.
    keytool -delete -noprompt -alias ${certificate.alias}  -keystore ${keystore.file}
  3. Add a certificate to the keystore.
    keytool -export -alias tomcat -file ${server.crt}
  4. Change Java Keystore Password.
    keytool -storepasswd -new new_storepass -keystore keystore.jks
How to configure tomcat to run on HTTPS