Recently I needed to generate a self-signed SSL cert for Apache Tomcat 5.5 on my Ubuntu Linux server. The basic process is to create a Java keystore with the self-signed cert, change Tomcat’s configuration file, and restart the server. Here’s how I did it:
$ keytool -genkey -alias tomcat -keyalg RSA -keystore mycert.jks Enter keystore password: changeit What is your first and last name? [Unknown]: Chris Barber What is the name of your organizational unit? [Unknown]: What is the name of your organization? [Unknown]: CB1, INC. What is the name of your City or Locality? [Unknown]: Minneapolis What is the name of your State or Province? [Unknown]: MN What is the two-letter country code for this unit? [Unknown]: US Is CN=Chris Barber, OU=Unknown, O="CB1, INC.", L=Minneapolis, ST=MN, C=US correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password):
By default, Tomcat will assume the password as “changeit”. You can change the password, but then you need to set the keystorePass in Tomcat’s configuration file. Regardless, the password for both the keystore and the cert MUST be the same. Store the keystore in a safe place such as Tomcat’s configuration folder:
Next edit Tomcat’s server configuration file:
Locate the SSL connector declaration, uncomment it, and add the keystoreFile path:
<!-- Define a SSL HTTP/1.1 Connector on port 8443 --> <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" keystoreFile="/etc/tomcat5.5/mycert.jks" clientAuth="false" sslProtocol="TLS" />
Save the changes and restart Tomcat:
$ sudo /etc/init.d/tomcat5.5 restart
You should be good to go at this point. Launch your favorite web browser and go to https://localhost:8443.
Now you are secure and ready to rock.