Installing SSL/TLS on Apache Tomcat requires using the Java KeyStore (.jks) format with the keytool utility (for traditional Java SSL) or configuring OpenSSL-based certificates (for Tomcat 8.5+ with APR). This guide covers both approaches.

Method 1: Java KeyStore (JKS) — Traditional Tomcat SSL

Step 1 — Generate Keystore and CSR

# Generate private key in a Java KeyStore
keytool -genkeypair -alias website -keyalg RSA -keysize 2048 
  -keystore yourdomain.jks 
  -dname "CN=yourdomain.com, OU=IT, O=Your Company, L=City, ST=State, C=US" 
  -validity 365

# Generate CSR from the keystore
keytool -certreq -alias website -file yourdomain.csr -keystore yourdomain.jks

Submit yourdomain.csr to your Certificate Authority (CA).

Step 2 — Import the CA Certificate Chain

# Import the CA root/intermediate certificate first
keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore yourdomain.jks

# Import your signed certificate
keytool -import -trustcacerts -alias website -file yourdomain.crt -keystore yourdomain.jks

# Verify the chain is complete
keytool -list -v -keystore yourdomain.jks

Step 3 — Configure server.xml

# Edit /opt/tomcat/conf/server.xml
# Add or update the HTTPS connector:

    
        
    

Method 2: OpenSSL PEM Certificates (Tomcat 8.5+)

# Use standard OpenSSL certificates (PEM format) directly in server.xml

    
        
    

Restart and Verify

# Restart Tomcat
systemctl restart tomcat
# or: /opt/tomcat/bin/shutdown.sh && /opt/tomcat/bin/startup.sh

# Test SSL
openssl s_client -connect yourdomain.com:8443 -servername yourdomain.com