Configuring Tomcat for TLS

Requirements

Private key

Server certificate

Certificate chain

Configuration in server.xml

File formats

.pem .crt .cer .key

ASCII

Key, certificate or chain

File formats

.der

Binary form of .pem

Key, certificate or chain

File formats

.p7b (PKCS7)

ASCII

Certificate or chain

No keys

File formats

.p12 (PKCS12)

Binary

Key, certificate or chain

File formats

.jks .keystore

Binary

Java specific (deprecated)

Key, certificate or chain

Which format?

Tomcat 7.0.x or 8.0.x

BIO, NIO or NIO2

JSSE implementation, JSSE configuration

Keystore

PKCS12 with Java 7+

Which format?

Tomcat 7.0.x or 8.0.x

APR/Native

OpenSSL implementation, OpenSSL configuration

PEM

Which format?

Tomcat 8.5.x or 9.0.x

NIO or NIO2

JSSE or OpenSSL implementation

JSSE or OpenSSL configuration (can't mix)

Keystore, PKCS12 (JSSE config)

PEM (OpenSSL config)

Which format?

Tomcat 8.5.x or 9.0.x

APR/Native

OpenSSL implementation, OpenSSL configuration

PEM

Changes in 8.5.x onwards

Was 1 connector, 1 host name, 1 certificate

Now each connector can have multiple host names

Each host name can have multiple certificates

Change in configuration style

Old style is supported but deprecated

Generating keys and certificates

OpenSSL for Linux - package manager

OpenSSL for Windows - Tomcat Native binary

Keytool - JRE/JDK

openssl.cnf - GitHub

script

Demonstration

Exercise

Create APR/native key and certificate

Create keystore key and certificate

Show 8.5.x, NIO working with both in turn