Using OpenSSL to configure SSL certificates for Apache Tomcat

posted by SpringSource on December 28, 2009 06:12 PM

This article will discuss how to use the popular open source implementation of the SSL protocol, OpenSSL, to create Certificates of Authentication (CAs) on Apache Tomcat.

Secure Sockets Layer (SSL) is a common technology that web operations teams use to allow web browsers and web servers to communicate via a secured connection. Data is encrypted by by a two-way process, where both the server and browser are capable of encrypting, transmitting, and also decrypting messages sent by the other side prior to any processing.

An important component of the SSL protocol is how the server manages authentication. During the initial attempt to communicate with a web server over a secure connection, the secured server will present the web browser with a set of credentials, known as a Certificate of Authentication or CA, as validation that the site is who and what it claims to be. 

This article will discuss how to use the popular open source implementation of the SSL protocol, OpenSSL, to create Certificates of Authentication (CAs) on Apache Tomcat.


1. These steps are for Windows. You will need to  modify paths, etc as necessary for your OS.
2. These steps assume no prior CA configuration. Skip the first section if you already have a CA.
3. Default passwords are used for the Java key stores. Change these to strong passwords in a production environment.
4. You should only need the Java trust store if you will be accepting client certificates generated by your CA.
5. Any client will need to import the CA cert as a trusted cert.

This process has been tested with the latest Tomcat 6.0.x source, IE 7 and FireFox 3. Older Tomcat versions may not have the trust store options. In this case the CA cert should be imported in to the JDK trust store.

Configure the CA

1. Setup the file structure for your CA

mkdir \certs 
mkdir \certs\ca 
cd \certs\ca 
mkdir certs private newcerts 
echo 1000 > serial 

2. Create a blank file called index.txt in



3. Copy openssl.cnf to your certs directory

4. Edit openssl.cnf and modify the following line in the CA section



5. Edit openssl.cnf and modify the certificate defaults as appropriate for your environment

6. Create a CA with a 10-year certificate

cd \certs\ca 
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private\cakey.pem -out cacert.pem -config D:\certs\openssl.cnf 


Create a host certificate

1. Create a certificate request for tomcat

cd \certs\ca 
openssl req -new -nodes -out tomcathost-req.pem -keyout private\tomcathost-key.pem -config D:\certs\openssl.cnf

2. Sign the certificate request to create a 2-year certificate

openssl ca -days 730 -config D:\certs\openssl.cnf -out tomcathost-cert.pem -infiles tomcathost-req.pem 


Convert certficates to Java Key Store format

1. Convert CA cert

openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER 

2. Convert tomcat host key and cert

openssl pkcs8 -topk8 -nocrypt -in private\tomcathost-key.pem -inform PEM -out private\tomcathost-key.der -outform DER 
openssl x509 -in tomcathost-cert.pem -inform PEM -out tomcathost-cert.der -outform DER 

3. Download ImportKey.class here and copy this file to



4. Import the tomcathost key and cert in to a Java key store

java -Dkeystore=tomcathost.jks ImportKey private\tomcathost-key.der tomcathost-cert.der 

5. import the CA cert in to a Java trust store

keytool -importcert -alias CA -file cacert.der -keystore trust.jks 


Configure Tomcat to use the new certificate for SSL

1. Copy trust.jks and tomcathost.jks to %CATALINA_BASE%\conf

2. Modify the SSL connector in server.xml to:

maxThreads="150" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" 
For more than 10 years, SpringSource employees have been supporting Apache technologies, with unparalleled experience and commitment to the Apache Software Foundation. More than 400 of the Fortune 500 count on SpringSource to support their mission-critical business applications. Leaders of the Apache Software Foundation, including Board Members, work at SpringSource and dedicate a significant amount of time further developing the Apache Tomcat open source project. Over the last 2 years, 95% of the issues fixed in the Apache Tomcat project were fixed by SpringSource engineers. For more information on how SpringSource can help your enterprise, see the SpringSource website, or call 800/444-1935.


Examples using HttpClient and Servlet

After I have followed all the example above, I need to used the Apache HttpClient and Servlet to make the connection. How can we accomplished this ? Can any body give some examples ?

Error in import

When I tried to Import the tomcathost key and cert in to a Java key store the following error occurred: certs\ca\private\tomcathost-key.der (The system c
annot find the file specified)
at Method)
at Source)
at Source)
at ImportKey.fullStream(
at ImportKey.main(

and keytool not recognized as well......

please help me out of this...

Abhishek Kr. Goel

After configuring the way it

After configuring the way it is mentioned, when I access tomcat with https://localhost:8443, it says "UNtrusted site". Did I do anything wrong in configuration?

Post new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.