In this tutorial we explain how you can access your Apache Tomcat via a SSL (HTTPS) connection.
1. Prerequisites
- Install Apache Tomcat as explained here Install Apache Tomcat on Windows
- JDK is installed correctly
2. Generate self-signed certificate
First we have to generate a self-signed certificate and encryption key to secure our connection. In command line enter:
C:\>cd %JAVA_HOME%/bin C:\Program Files\Java\jdk1.8.0_45\bin>keytool -genkey -alias tomcat -keyalg RSA
You will be asked to enter some information about your name, company etc.:
C:\Program Files\Java\jdk1.8.0_45\bin>keytool -genkey -alias tomcat -keyalg RSA Enter keystore password: What is your first and last name? [Unknown]: Malte Sander What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: Tutorial Academy What is the name of your City or Locality? [Unknown]: Munich What is the name of your State or Province? [Unknown]: Bavaria What is the two-letter country code for this unit? [Unknown]: DE Is CN=Malte Sander, OU=Unknown, O=Tutorial Academy, L=Munich, ST=Bavaria, C=DE correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password): C:\Program Files\Java\jdk1.8.0_45\bin>
The default password is changeit. We used TutorialAcademy. Now you should have a “.keystore” file in your USER folder.
3. Adapt Tomcat server.xml config for SSL
The port attribute (default 8443) is the TCP/IP port number on which Tomcat listens for secure connections. You can adapt this to any port. E.g. the default port 443 for HTTPS communications. However on many operating systems a special setup is required to run Tomcat on port numbers lower than 1024.
Copy the following (bold) content in your server.xml located in the conf folder in your Tomcat installation.
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${user.home}/.keystore" keystorePass="TutorialAcademy" clientAuth="false" sslProtocol="TLS"/>
Preferably between the following content:
<!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 This connector uses the NIO implementation that requires the JSSE style configuration. When using the APR/native implementation, the OpenSSL style configuration is required as described in the APR/native documentation --> <!-- <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" /> --> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="${user.home}/.keystore" keystorePass="TutorialAcademy" clientAuth="false" sslProtocol="TLS"/> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Adapt the keystorePass (“TutorialAcademy”) attribute to the password you used when generating the self-signed certificate. Start or restart the Tomcat server afterwards.
If you changed the port number, you should adapt the value redirectPort attribute on the non-SSL connector. Tomcat can automatically redirect users who try to access a page with security constraints (e.g. HTTPS) as specified in the servlet definition:
<!-- A "Connector" represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking & non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL/TLS HTTP/1.1 Connector on port 8080 --> <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
4. Test the configuration
In your browser, enter (adapt the port if you did so in the server.xml):
https://localhost:8443/
Depending on your browser, you have to accept the provided certificate and should be redirected to the standard Tomcat starting page.
If you have problems or questions, feel free to comment and ask.





