How to enable HTTPS in Tomcat

In order to configure your Tomcat for HTTPS, you must first generate a server certificate for your web site. To do this, you can use the keytool command, which comes with your JDK or JRE. You'll need to open a command shell, and your shell will need to know how to find your Java runtime environment properly. To do this on Windows, type the following commands into your command shell if you have a JDK installed:

C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16
C:\> set PATH=%JAVA_HOME%\bin;%PATH%

or, if you have a JRE, type these commands:

C:\> set JAVA_HOME=C:\Program Files\Java\jdk1.6.0_16
C:\> set PATH=%JAVA_HOME%\bin;%PATH%

[ See also: How to configure Tomcat to always require HTTPS and How to restrict access to web applications in Tomcat ]

On Linux, it's very similar. For the JDK (as root):

# export JAVA_HOME=/usr/java/latest
# export PATH=$JAVA_HOME/bin:$PATH

Make sure you change /usr/java/latest to the root directory path of your JDK. For a JRE, type:

# export JRE_HOME=/usr/java/latest
# export PATH=$JRE_HOME/bin:$PATH

Then, test it by running:


You should see the keytool command's help text. If not, you probably have the wrong path to your Java runtime, or it is not installed properly.

Next, type these commands to generate a self-signed server certificate:

keytool -genkeypair -alias tomcat -keyalg RSA -keysize 1024 -dname "CN=localhost, OU=Organization, O=Company Name, L=City, S=State, C=US" -validity 365 -keystore keystore Enter keystore password: <enter a new password here> Enter key password for <tomcat>         (RETURN if same as keystore password): <just hit enter here>

The password you enter in the first password prompt will be the password for the keystore where your server certificate is stored.

Next, edit your Tomcat's conf/server.xml to enable the HTTPS connector. Look for a connector that looks like this:

<!--         <Connector port="8443" protocol="HTTP/1.1"     SSLEnabled="true"                 maxThreads="150" scheme="https"     secure="true"                 clientAuth="false" sslProtocol="TLS" /> -->

By default, it is commented out. To uncomment it, remove the line just before the element, and also the line just after it. Then, add the attributes keystoreFile and keystorePass, so that it looks like this:

        <Connector port="8443" protocol="HTTP/1.1"     SSLEnabled="true"             maxThreads="150" scheme="https"     secure="true"                 clientAuth="false" sslProtocol="TLS"                 keystoreFile="conf/keystore" keystorePass="your password" />

If you're running Tomcat on Windows, you may set the port number to 443, which is the default HTTPS port number. On non-Windows operating systems you can only do that if you run Tomcat as root, which we don't recommend.

Once you've completed the steps above, restart Tomcat, and try connecting to Tomcat over HTTPS with a URL such as https://localhost:8443 (you have to specify both "https" and port 8443 if you have configured it to listen on port 8443). Your web browser will warn you about the self-signed certificate, but otherwise it should work.

To fix that warning you'll need to purchase a commercial HTTPS certificate and install it. See the instructions on how to do this in Chapter 6: Security of the book Tomcat: The Definitive Guide (O'Reilly).

Today's tip was provided by sdozen12 on behalf of MuleSoft

Do you have a question on installing, configuring, or deploying Apache Tomcat? Submit it here.


Want to cash in on your IT savvy? Send your tip to If we post it, we'll send you a $25 Amazon e-gift card.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon