SSL/TLS Support on Tomcat 8 or Older

This section provides a tutorial example on how to configure Tomcat 8 or older to support SSL/TLS for the HTTPS service.

If you are still using a Tomcat 8 or older release, you need follow this tutorial to configure SSL/TLS support.

1. Decide which certificate file format to use. Tomcat 8 or older release supports only 2 file formats: JKS and PKCS12. Both formats can be managed by the JDK command called "keytool". But PKCS12 can also be managed by the "openssl pkcs12" command.

2. Convert certificate files from PEM format to a single PKCS12 file, which is also called a keystore file. Then move it to the "conf" directory:

herong$ server.cert.pem server.key.pem > server.pair.pem

herong$ sudo openssl pkcs12 -export -out server.p12 -name "MyWeb" \
  -in server.pair.pem -certfile ca-chain.cert.pem 
Enter Export Password: TopSecret 
Verifying - Enter Export Password: TopSecret

herong$ mv server.p12 $TOMCAT_HOME/conf

3. Update the configuration file to turn on the HTTPS service, by opening the port="8443" connector and specifying certificate related settings. Don't forget to provide the keystorePass setting.

herong$ sudo vi conf/server.xml 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" 
    keystoreFile="conf/server.p12" keystoreType="PKCS12" 

4. Restart Tomcat and check the log file. You should see the [https-jsse-nio-8443] connector started with no errors:

herong$ $TOMCAT_HOME/logs/

herong$ $TOMCAT_HOME/logs/

herong$ tail -100 $TOMCAT_HOME/logs/catalina.out
INFO: Starting ProtocolHandler ["http-bio-8080"]
Mar 10, 2024 02:54:35 org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Mar 10, 2024 02:54:35 org.apache.coyote.AbstractProtocol start
INFO: Server startup in 7046 ms

5. Open firewall for port 8443:

herong$ sudo firewall-cmd --zone=public --add-port=8443/tcp
herong$ sudo firewall-cmd --runtime-to-permanent

6. Try to open Tomcat home page with the HTTPS protocol in a Web browser: https://localhost:8443. You should see the home page displayed, if the certificate is valid.

7. Resolve certificate exception issues, if the certificate is self-signed, the Root CA certificate is not trusted, the certificate is expired, etc..

For more information on HTTPS service for Apache Tomcat 8, see "The HTTP Connector" document at

Table of Contents

 About This Book

 Introduction to Linux Systems

 Process Management

 Files and Directories

 Running Apache HTTP Server (httpd) on Linux Systems

Running Apache Tomcat on Linux Systems

 What Is Apache Tomcat

 Install Apache Tomcat on Linux

 Start/Stop Apache Tomcat

 Common Issues on Running Tomcat

 Turn on SSL/TLS Support on Tomcat

SSL/TLS Support on Tomcat 8 or Older

 Running PHP Scripts on Linux Systems

 Running MySQL Database Server on Linux Systems

 Running Python Scripts on Linux Systems

 Conda - Environment and Package Manager

 GCC - C/C++ Compiler

 OpenJDK - Open-Source JDK

 Graphics Environments on Linux

 SquirrelMail - Webmail in PHP

 Tools and Utilities


 Full Version in PDF/EPUB