How to Set up HTTPS SSL on Tomcat | Darren's Tech Tutorials

Secure Your Java Applications: Easy Steps to Enable HTTPS (SSL) on Apache Tomcat

Hello tech enthusiasts, and welcome back to Darren’s Tech Tutorials!

In today’s tutorial, we are tackling a critical step for any Java application server: enabling secure communication. Apache Tomcat, the ubiquitous open-source Java Servlet Container developed by the Apache Software Foundation, needs to be protected, and that means setting up HTTPS.

While this guide focuses on using a self-signed certificate—perfect for development, testing, or internal environments—the underlying principles apply whether you are on Windows or Linux. We’ll show you how to use Java’s built-in keytool to generate the necessary certificate and configure Tomcat’s server.xml file for instant SSL functionality.

Let’s dive into securing your Tomcat server!

Prerequisites and Preparation

Before we begin, ensure you have the following ready:

Apache Tomcat installed and running.
Java Runtime Environment (JRE) or JDK installed, as we will be utilizing the keytool utility bundled with Java.
Administrator access to your system (necessary for running commands and restarting services).

Since the keytool utility is located within your Java installation’s binary directory, we’ll start there.

Locating the Keytool

Navigate to your Java installation folder. For most systems, this will be similar to:

C:\Program Files\Java\jre[version]\bin\ or $JAVA_HOME/bin on Linux.

Open your command prompt or terminal as an administrator from within this bin directory.

Note: All commands and the full XML configuration snippet are available on our supporting article here: https://darrenoneill.eu/?p=772

Step 1: Generating the Self-Signed SSL Certificate

We use the keytool to generate a Java Key Store (.jks) file which will contain our self-signed certificate and private key.

In your administrative command prompt, execute the following command (adjusting the -keystore path if your Tomcat installation is elsewhere):

keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\Apache Software Foundation\Tomcat\conf\localhost.jks"

The system will then prompt you for several pieces of information:

Password: Enter a strong password. In the video demo, we used “password” for simplicity, but always use a secure password in a real environment. You will need this password later when configuring server.xml.
First and Last Name (CN): This is the crucial part. If you are accessing the server via localhost, type localhost. If you are using a fully qualified domain name (FQDN), enter that name instead (e.g., app.yourdomain.com).
Organizational details (OU, O, L, S, C): Fill in your organizational unit, organization name, city, state, and two-letter country code.

Once complete, keytool will confirm that the keystore file (localhost.jks) has been created and saved directly into your Tomcat configuration folder: [TOMCAT_HOME]/conf/.

Step 2: Configuring Tomcat’s `server.xml` for SSL

Next, we need to instruct Tomcat to listen for secure connections (HTTPS) and tell it where to find the key store we just generated.

Navigate to your Tomcat installation directory: [TOMCAT_HOME]/conf/
Open the server.xml file using a text editor (like Notepad++ or VS Code).
Scroll down to where the default HTTP connector is defined (usually on port 8080).

We are going to add a new Connector block for SSL. You can place this immediately after the default HTTP connector block.

Paste the following configuration block, ensuring you customize the keystoreFile path and the keystorePass if they differ from your setup:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="conf/localhost.jks"
           keystorePass="password" />

Key Configuration Details:

port="8443": This is the standard default port for HTTPS on Tomcat. You can change this if needed, but 8443 is common.
SSLEnabled="true": This explicitly tells the connector to handle SSL traffic.
keystoreFile: We use a relative path here, pointing to the localhost.jks file located inside the conf/ folder.
keystorePass: This must match the password you set when generating the key in Step 1.

Save and close the server.xml file.

Step 3: Restarting and Testing Your Secure Tomcat Server

For the changes to take effect, you must restart the Tomcat service.

Open your Windows Services panel (or use sudo systemctl restart tomcat on Linux).
Locate the Apache Tomcat service and click Restart. Wait for the service to successfully stop and start again.

Verification

Now it’s time to test the new HTTPS connection!

Open your web browser (Chrome, Firefox, Edge, etc.).
Navigate to the following URL:
```
https://localhost:8443
```

Because this is a self-signed certificate (meaning it was not issued by a known Certificate Authority), your browser will display a security warning (e.g., “Your connection is not private,” or “Potential Security Risk”).

This is expected! Since you generated the certificate yourself and know it is safe, simply click to Proceed or Continue to the website.

You should now see the familiar Tomcat homepage, but the URL bar will confirm you are connected securely over HTTPS on port 8443! Congratulations, your server is now listening for secure traffic.

Conclusion

Setting up basic SSL on Apache Tomcat using a self-signed certificate is a fast and easy way to ensure a secure foundation for development and testing environments. By mastering the Java keytool and understanding the configuration within server.xml, you’ve taken a crucial step in application security.

If you found this guide helpful and managed to get HTTPS working on your Tomcat server, please let us know in the comments below!

Don’t forget to Like this post and Subscribe to Darren’s Tech Tutorials for more clear and accessible technology guides.

Thanks for watching, and happy coding!