Tomcat Java Keystore

Posted onby admin
  1. Liferay Tomcat HTTPs Configuration. Keystore and SSLCertificateFile Approaches. This article explains how to configure HTTPs/SSL for Liferay bundled with Tomcat, using two different approaches.
  2. ### SSL Part 1: Creating Java SSL KeyStore (JKS) This is part one of a three-part series on how to configure a single SSL certificate for use on both Tomcat and Apache. I'll take you through creating a new Java KeyStore (JKS), submitting a Certificate Signing Request (CSR), and finally, importing the singed certificate into your KeyStore.

Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR. Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal.

Installing SSL Certificate Chain (Root, Intermediate(s) and the End Entity)

1. Import Root Certificate
-> keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -keystore domain.keystore

2. Import Intermediate(s)
-> keytool -import -trustcacerts -alias intermediate_filename -file intermediate_filename.crt -keystore domain.keystore


Tomcat Keystore List

Depending on the type of certificate that was purchased, there may be more than one Intermediate certificate in the chain of trust. Please install all intermediates in numberical order until you get to the domain/end entity certificate.
In order to determine which chain of trust you have, please follow the article title Which is Root? Which is Intermediate?
Example:UTNAddTrustSGCCA.crt would become to UTNAddTrustSGCCA.
KeystoreTomcat Java Keystore

For more information on

3. Import Entity/Domain certificate
-> keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore
You should receive a message: Certificate reply was installed in keystore if successful. It should NOT match the output of Step 1 or 2 above.
Note: If an alias was specified upon creation of the CSR then please use that alias instead of mykey.

4. Restart the Web Server Service.
Note: Tomcat will first need an SSL Connector configured before it can accept secure connections. Please ensure this is set BEFORE the server is restarted.
Tomcat SSL Connector

Related Articles:

* CSR Generation: Java-based Webservers (using keytool)
* Which is Root? Which is Intermediate?

Tomcat Keystore File

* Tomcat SSL Connector

In this tutorial, you will learn how to deploy your Java Webapps on Tomcat with Docker.

Apache provides a large list of Docker images for running Tomcat as a container. In fact, there likely more Tomcat images than most any project hosted on Docker Hub. The caveat is they all run OpenJDK. While OpenJDK has come along ways since its inception, there are still some differences between it and Java JDK.

Docker Build

Your first step in running your web application with Tomcat in Docker is to build an Docker image for your app. We will cover two methods for building your image:

  • Adding artifacts from a previous Java build to the Tomcat base image.
  • Using Multistage builds to compile your Java Webapp and building a final, slim image based off of the Tomcat base image.
By default, no user is included in the “manager-gui” role required to operate the “/manager/html” web application. As part of your Docker image build, a tomcat-users.xml should be added.

Single Stage

A single stage Docker build is a basic build, and is the most commonly used method. With this approach it is expected that you already have all of the artifacts required, and that you are adding these artifacts to your image.

Multistage Build

A multistage build is a very handy way of compiling your application in a temporary container image, and then copying the artifacts into a final image. The benefit is all of our source files, build tools, and other dependencies do not become part of our final image, thus, minizing the final image size and security footprint.

In the example below, we are using the community supported OpenJDK image as our build base. Within this first stage of our dockerfile we are compiling our Java Webapp.


In the second stage we are using an official Tomcat image as our base. Artifacts generated during our build stage are then copied over to the final stage, and placed in Tomcat’s base directory. Also as part of our Docker build, we are adding a tomcat-users.xml to configure users permissions.

To build the image, run the docker build command and tag your image.

Test the newly created Docker image by running it using the docker run command.

If the container started correctly and Tomcat also started successfully, you should be able to access it by going to the following URL in your web browser.

Running Your Tomcat Container

When running a Docker container it should be started as a daemon, which essential runs it as a background service. You will also need to map a local port to the container’s exposed port. By default, the Tomcat image listens on port 8080. However, in our example we will map port 80 from our local machine to the container’s port 8080.

To run the container as a daemon use the -d flag, and to map local port 80 to the container’s port 8080 use the -p flag.

The above command will start a container named webap-1.0.0 using our webapp:1.0.0 image. To verify the container started successfully and is running, use the docker ps command.

For troubleshooting issues or monitoring application logs, use the docker logs command.

Configuring SSLTLS for Tomcat

Enabling SSLTLS on Tomcat is a two-part process that is not simply by any means, unfortunately. You can thank Java for this.

The first step is to create a keystore that will hold your certificate files securely. Your files will be encrypted and protected by a password to prevent unauthorized access.

The second step is configure Tomcat to use your keystore and to enable SSLTLS. This second step is fairly messy and how you enable depends on a lot of factors.

Creating a Keystore

Step 1: Create the Keystore

You will need Java installed on your local machine, whether it’s the official JDK or OpenJDK. The following example creates a new keystore at the ./webapp.keystore with an alias of webapp. You will be prompted to set a password for the keystore, and it is highly recommended that you do.

Step 2: Create a Certificate Signing Request (CSR)

If you do not already have a certificate and key file, you will need to generate a CSR. This CSR should then be submitted to a certificate authority of your choice, who will then supply you with a certificate file and key file to be used by your web application.

Step 3: Import the Certificate files

Once you have obtained the files from your certificate authority, it is time to import them into your keystore. The first file you will import is the root certificate, which should have been provided to you.

Second, you will import your certificate to ythe keystore.

You now have a keystore with the certificate that will be used to create secure TLSSSL connections to your web app. Next you will have to enable SSLTLS in Tomcat.

Configuring Tomcat

Enable TLSSSL in Tomcat is pretty messy, as result of how Java implemented it. We’re not going to cover this part in detail, since there are multiple ways of doing it depending on how you want to configure Tomcat.

Tomcat Keytool

The first step is to create a custom server.xml file, which will be used to point to your keystore and enable SSLTLS. A good starting point is to copy the server.xml file from the official Tomcat image.


To copy the server.xml from the image to your local filesystem, use the docker run command to start a new tomcat container, and then use docker exec to copy the server.xml file onto your local filesystem.

The server.xml file will look like the following.

Next, follow instructions on how to configure the server.xml file to use your keystore, its password, and enable SSLTLS. A great guide has bene published by Mulesoft.

Adding Keystore to Docker Image

It doesn’t matter where you place your keystore file, so long as Tomcat is able to access it. In our example below, we are placing the keystore in the root directory of our container. We are also copying our own custom server.xml file into the Docker image, since Tomcat needs to know where your keystore is located and its password.

Tomcat Java Keystore Location

Build Tomcat Image with SSL

Tomcat Java Keystore Location Windows

The final step is to build your updated Docker image with the keystore and custom server.xml file. We’re going to tag the example build with webap:1.0.0-tls as a way to communicate that this version is TLS enabled. However, this is an arbritrary tag that’s only useful if you need to differentiate between multiple images.