Press "Enter" to skip to content

Posts published in “tomcat”

Self signed SSL cert for Apache Tomcat

The simplest way I know of to create and self sign an SSL certificate for your Apache Tomcat server…  In two simple steps…………

Step 1 –  (the $JAVA_HOME environment variable should already be set in your tomcat user’s ~/.bash_profile or replace with the full path to keytool)

#  $JAVA_HOME/bin/keytool  -genkeypair  -validity 3650  -alias tomcat  -keyalg  RSA

password:  specify a password
name:  use the full <hostname> domain name
organizational unit:
Select ‘y’ to confirm the details.

Press the ‘Enter’ key when asked for a password for the alias ‘tomcat’.

A keystore called .keystore (a hidden file) will be created (user’s home directory) which should be moved to <tomcat_home_dir>/conf/.

Step 2.
Uncomment the ‘SSL HTTP/1.1 Connector on port 8443’ section in <tomcat_home_dir>/conf/server.xml and add parameters so that it resembles the following:

<Connector   port=”8443”  protocol=”HTTP/1.1”  SSLEnabled=”true”  maxThreads=”150”  scheme=”https”  secure=”true”  enableLookups=”false”  disableUploadTimeout=”true”  acceptCount=”100”  clientAuth=”false”  sslProtocol=”TLS”  URIEncoding=”UTF-8”  keystorePass=”<password_from_Step1>”  keystoreFile=”<tomcat_home_dir>/conf/.keystore” />

Restart Tomcat and point your browser to to verify the cert.  Doesn’t get any simpler than that.

apache-Tomcat error on starting after changing the SSL Key / Keystore

apache-Tomcat error on starting after changing the SSL Key / Keystore

The keystore and SSL key must be the same as listed in ~/conf/server.xml

SEVERE: Error starting endpoint Cannot recover key

at org.apache.coyote.http11.Http11Protocol.start(
at org.apache.catalina.connector.Connector.start(
at org.apache.catalina.core.StandardService.start(
at org.apache.catalina.core.StandardServer.start(
at org.apache.catalina.startup.Catalina.start(
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(
at sun.reflect.DelegatingMethodAccessorImpl.invoke(
at java.lang.reflect.Method.invoke(
at org.apache.catalina.startup.Bootstrap.start(
at org.apache.catalina.startup.Bootstrap.main(


Fix via keytool on with passords on the command line, interactive passwd changing via CLI generates an error saying they must be different. 

keytool -keypasswd -alias your_alias -keypass old_passwd -new new_passwd -keystore ./keystore