This document describes how to install an SSL certificate (JKS format) on a Tomcat server.
- The certificate name
cloud.tencent.comis used as an example.
- Tomcat 9.0.56 is used as an example.
- The current server OS is Windows Server 2016 Chinese. Detailed steps vary slightly with the OS.
- Before you install an SSL certificate, enable port 443 on the Tomcat server so that HTTPS can be enabled after the certificate is installed. For more information, please see How Do I Enable Port 443 for a VM?
- For more information about how to upload SSL certificate files to a server, please see Copying Local Files to CVMs.
|Server IP address||IP address of the server, which is used to connect the PC to the server.|
|Username||The username used to log in to the server.|
|Password||The password used to log in to the server.|
- For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to obtain the server IP address, username, and password.
- If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand is Wotrus, the option to download the JKS certificate file is not provided. Instead, you need to manually convert the format to generate a keystore as follows:
- Access the conversion tool.
- Upload the certificate and private key files in the Nginx folder to the conversion tool, enter the keystore password, click Submit, and convert the certificate to a .jks certificate.
Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
In the pop-up window, select JKS for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com.jks: keystore file
keystorePass.txt: password file (if you have set a private key password, this file will not be generated)
Copy the keystore file
cloud.tencent.com.jks to the
conf directory of the Tomcat installation directory.
server.xml file in the
conf directory by adding the following:
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" # Path of the certificate keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks" # Keystore password keystorePass="******" clientAuth="false"/>
For details about the
server.xml file, see below:
To avoid format issues, you are not advised to copy the content of
<Server port="8005" shutdown="SHUTDOWN"> <Listener className="org.apache.catalina.startup.VersionLoggerListener" /> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" /> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" /> <GlobalNamingResources> <Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="conf/tomcat-users.xml" /> </GlobalNamingResources> <Service name="Catalina"> <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" /> <Connector port="443" protocol="HTTP/1.1" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keystoreFile="Tomcat installation directory/conf/cloud.tencent.com.jks" keystorePass="******" /> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> <Engine name="Catalina" defaultHost="cloud.tencent.com"> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/> </Realm> <Host name="cloud.tencent.com" appBase="webapps" unpackWARs="true" autoDeploy="true" > <Context path="" docBase ="Knews" /> <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs" prefix="localhost_access_log" suffix=".txt" pattern="%h %l %u %t "%r" %s %b" /> </Host> </Engine> </Service> </Server>
The main parameters of the configuration file are described as below:
keystorePass.txtfile in the Tomcat folder.
Confirm whether the Tomcat server is started.
If the Tomcat server is already started, you need to run the following .bat scripts in sequence in the
bin directory of the Tomcat installation directory to shut down and restart it:
shutdown.bat (Shut down the Tomcat server) startup.bat (Start the Tomcat server)
If the Tomcat server is not started, you need to run the following .bat script in the
bin directory of the Tomcat installation directory to start it:
If the server is started successfully, you can access it through ``https://www.tencentcloud.com/`.
If the browser address bar displays the security lock logo, it means that the certificate is installed successfully.
If the website access is abnormal, you can refer to the following solutions to common problems:
You can redirect HTTP requests to HTTPS by configuring the following settings:
web.xml file in the
conf directory of the Tomcat installation directory and find the
Insert a new line after
<\/welcome-file-list> and add the following:
<login-config> <!-- Authorization setting for SSL --> <auth-method>CLIENT-CERT</auth-method> <realm-name>Client Cert Users-only Area</realm-name> </login-config> <security-constraint> <!-- Authorization setting for SSL --> <web-resource-collection> <web-resource-name>SSL</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
server.xmlfile in the Tomcat installation directory by changing the
redirectPortparameter to the port of the SSL connector, i.e., port 443, as shown below:
<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
This change allows a non-SSL connector to redirect to an SSL connector.
Run the following .bat script in the
/bin directory of the Tomcat installation directory to shut down the Tomcat server:
Run the following command to confirm whether there is a problem with the configuration: