Register

Tomcat SSL Configuration Guide

Detailed explanation of SSL configuration differences between Tomcat 7, 8, 9, and 10 versions to help you correctly configure SSL certificates

Version Overview

Tomcat 7.x
Deprecated
Tomcat 7 is an older version that supports Java 6/7, SSL configuration is relatively simple but lacks some modern security features. Maintenance stopped in 2021.
⚠️ 注意: Tomcat 7 has stopped maintenance and has security risks. It is strongly recommended to upgrade to Tomcat 9 or 10.
Tomcat 8.x
Stable Version
Tomcat 8 supports Java 7/8, introduced better SSL/TLS support, including full support for TLS 1.2. Configuration method is similar to Tomcat 7.
Tomcat 9.x
Recommended Version
Tomcat 9 supports Java 8 and above, supports TLS 1.3, provides better performance and security. It is the most widely used version currently.
✅ 推荐: Tomcat 9 is the most stable and recommended version currently, supporting all modern SSL/TLS features.
Tomcat 10.x
Current Version
Tomcat 10 supports Java 11 and above, uses Jakarta EE 9+ (migrated from Java EE), provides latest security features and performance optimizations.
⚠️ 重要: Tomcat 10 uses Jakarta EE, which is incompatible with Tomcat 9 and below, code modifications are required when migrating.
Tomcat Version Java Version Requirement TLS 1.2 TLS 1.3 HTTP/2 Status
Tomcat 7.x Java 6/7 Deprecated
Tomcat 8.x Java 7/8 ⚠️ Needs Configuration Stable
Tomcat 9.x Java 8+ Recommended
Tomcat 10.x Java 11+ Current

Certificate Format Conversion

Tomcat requires certificates in Java keystore format (.jks or .p12). If you receive .crt and .key files, you need to convert them to keystore format first.

Convert to PKCS12 Format using OpenSSL

# # Merge certificate chain (if needed)cat your_domain.crt intermediate_ca.crt > fullchain.crt # # Convert to PKCS12 formatopenssl pkcs12 -export -out your_domain.p12 -inkey your_domain.key -in fullchain.crt -name tomcat # # System will prompt you to set password, please keep this password safe

Convert to JKS Format using keytool (Optional)

# # Convert from PKCS12 to JKSkeytool -importkeystore -srckeystore your_domain.p12 -srcstoretype PKCS12 -destkeystore your_domain.jks -deststoretype JKS # # Or create JKS directly from certificate and private key (need to convert to PKCS12 first)
💡 提示: Tomcat 9+ recommends using PKCS12 format (.p12) because JKS format has been marked as deprecated. Tomcat 10+ only supports PKCS12 format.

Connector Configuration

Tomcat SSL configuration is done in server.xml file, need to configure HTTPS connector.

Basic HTTPS Connector Configuration

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/path/to/your_domain.p12" keystorePass="your_keystore_password" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" />
📝 Configuration Notes:
  • port:port: HTTPS port, default 8443, production environment recommends using 443
  • keystoreFile:keystoreFile: Keystore file path (absolute path)
  • keystorePass:keystorePass: Keystore password
  • keystoreType:keystoreType: Keystore type, PKCS12 or JKS
  • clientAuth:clientAuth: Whether to require client certificate, usually set to false

Version Configuration Differences

Tomcat 7.x Configuration

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" keystoreFile="/path/to/your_domain.jks" keystorePass="password" keystoreType="JKS" clientAuth="false" sslProtocol="TLS" />

Tomcat 8.x Configuration

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/path/to/your_domain.p12" keystorePass="password" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" />

Tomcat 9.x Configuration (Recommended)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/path/to/your_domain.p12" keystorePass="password" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" />

Tomcat 10.x Configuration

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/path/to/your_domain.p12" keystorePass="password" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" />
⚠️ Important Differences:
  • Tomcat 7 mainly uses JKS format, Tomcat 8+ recommends using PKCS12
  • Tomcat 9+ supports TLS 1.3, need to explicitly configure sslEnabledProtocols
  • Tomcat 10 only supports PKCS12 format, no longer supports JKS
  • Tomcat 8.5+ defaults to NIO protocol, better performance

Keystore Management

View Keystore Contents

# # View PKCS12 keystorekeytool -list -v -keystore your_domain.p12 -storetype PKCS12 # # View JKS keystorekeytool -list -v -keystore your_domain.jks

Change Keystore Password

# # Change PKCS12 keystore passwordkeytool -storepasswd -keystore your_domain.p12 -storetype PKCS12 # # Change JKS keystore passwordkeytool -storepasswd -keystore your_domain.jks

Import Intermediate Certificate

# # Import intermediate certificate to PKCS12keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore your_domain.p12 -storetype PKCS12 # # Import intermediate certificate to JKSkeytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore your_domain.jks

TLS Protocol Configuration

Enable TLS 1.2 and TLS 1.3 (Tomcat 9+)

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" sslEnabledProtocols="TLSv1.2,TLSv1.3" sslProtocol="TLS" ... />

Disable Insecure Protocols

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" sslEnabledProtocols="TLSv1.2,TLSv1.3" sslProtocol="TLS" ... />
⚠️ Security Recommendations:
  • Disable SSLv2, SSLv3, TLSv1.0, TLSv1.1
  • Only enable TLS 1.2 and TLS 1.3
  • Use strong cipher suites
  • Regularly update Tomcat and Java versions

HTTP to HTTPS Redirect

Configure Redirect using web.xml

<security-constraint> <web-resource-collection> <web-resource-name>Entire Application</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>

Configure HTTP Connector Redirect Port

<Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
💡 说明: After configuring redirectPort, when users access HTTP, Tomcat will automatically redirect to HTTPS port.

Best Practices

  • Use PKCS12 format keystore (Tomcat 9+)
  • Place keystore files in secure location, set appropriate file permissions (600)
  • Use strong password to protect keystore
  • Only enable TLS 1.2 and TLS 1.3
  • Use strong cipher suites
  • Use standard HTTPS port 443 in production environment
  • Configure automatic redirect from HTTP to HTTPS
  • Regularly update Tomcat and Java versions
  • Monitor certificate expiration, renew in time
  • Use HSTS header to enhance security

    • Security Configuration Example (Tomcat 9+)

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="/etc/tomcat/ssl/your_domain.p12" keystorePass="${catalina.base}/conf/keystore.pass" keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.3" ciphers="TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256" maxHttpHeaderSize="8192" />
    📝 Notes:
    • Use environment variables or external files to store passwords, avoid storing in plain text in configuration files
    • Using standard port 443 requires root privileges or port forwarding configuration
    • Configure strong cipher suites to improve security

    Troubleshooting

    Problem 1: Certificate Format Error

    Error: Error: java.io.IOException: keystore was tampered with, or password was incorrect

    Solution:

    1. Check if keystore file path is correct
    2. Confirm if keystore password is correct
    3. Verify if keystore format matches (PKCS12 or JKS)
    4. Use keytool -list to verify if keystore is valid

    Problem 2: Port Conflict

    Error: Error: Address already in use

    Solution:

    1. Check if port is occupied by other process: netstat -tulpn | grep 8443
    2. Modify port number in server.xml
    3. Stop process occupying the port

    Problem 3: TLS Handshake Failed

    Error: Error: javax.net.ssl.SSLHandshakeException

    Solution:

    1. Check if certificate chain is complete (includes intermediate certificate)
    2. Verify if certificate has expired
    3. Confirm if enabled TLS protocol versions match
    4. Check cipher suite configuration

    Problem 4: Tomcat 10 Compatibility Issues

    Solution: Problem: Application cannot run after upgrading from Tomcat 9 to Tomcat 10

    Solution:

    1. Tomcat 10 uses Jakarta EE, need to update all javax.* imports to jakarta.*
    2. Update all dependency libraries to versions supporting Jakarta EE
    3. Recompile and redeploy application
    4. If migration is not possible, recommend continuing to use Tomcat 9