How to generate self-signed cert for use with Tomcat7

Question

Goal: To use a self-signed cert with my dev Tomcat server.

Step 1: Create a certificate with openssl following this Ubuntu certificate guide:

openssl req -new -key server.key -out server.csr

I followed the self-signed NO password guidance.

Step 2: Update Tomcat config file /etc/tomcat7/server.xml

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
            keystoreFile="/etc/ssl/private/server.key" keystorePass=""
            maxThreads="150" scheme="https" secure="true"
            protocol="org.apache.coyote.http11.Http11AprProtocol"
            clientAuth="false" sslProtocol="TLS"/>

Step 3: Restart Tomcat:

sudo service tomcat7 stop
sudo service tomcat7 start

Test through Chrome browser on another computer:

All SSL connections to server are refused, but standard http connections work. Error details in Chrome:

Google Chrome's connection attempt to [domain] was rejected. The website may be down, or your network may not be properly configured.

I have seen a plethora of instructions on how to get this to work. But I am confused at the dizzying array of methods. Not the least is some mention a keystore where others only mention cert files. Obviously my ignorance of the topic is in play here. Furthermore, I have a cert but according to many guides, I cannot import my key into a keystore as there is no facility for that.

Both ports 443 and 8443 are open on the server.

Any guidance is appreciated!

Did you check the docs, https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html — Jacob Evans, Oct 21 '15 at 14:15
@JacobEvans Yes I have, and it was too fragmented to understand well. I really need a step-by-step guide. A LOT of hand holding. — Roy Hinkley, Oct 21 '15 at 14:18

Henrik Pingel · Accepted Answer · 2015-10-21T14:31:45.223

3

Tomcat needs an certificate stored in an Java key store (jks). Java comes usually with the keytool tool already installed. You should use keytool to generate a self-signed certificate like this:

keytool -genkey -alias mydomain -keyalg RSA -keystore keystore.jks -keysize 2048

Consult this site for more information on the use of keytool.

edited Oct 21 '15 at 14:31

answered Oct 21 '15 at 14:15

Henrik Pingel

9,380
2
28
39

Didn't even notice he was generating it with openssl and not keytool – Jacob Evans Oct 21 '15 at 14:29
I created a new key and keystore following the links instructions using `keytool` and generated a keystore and key pair. I updated the `server config file` to point to keystore and `restarted Tomcat` and I still get the same error - HTTP still works. What am I not understanding? – Roy Hinkley Oct 21 '15 at 14:35
1

You should take a look in the server logs. I would change the `protocol` parameter to the default value `HTTP/1.1` but without the logs its just a guess. Maybe its just a typo or permission error. – Henrik Pingel Oct 21 '15 at 14:45
I assume you are going to HTTPS://server:8443 – Jacob Evans Oct 22 '15 at 02:32

How to generate self-signed cert for use with Tomcat7

1 Answers1