Sunday, June 7, 2020

Create a Self-Signed free SSL certificate for Tomcat on CentOS Linux using Let's Encrypt.

How to Install and configure a free SSL/TLS certificate for Tomcat using Let's Encrypt on Centos Linux.

In this tutorial, we are going to create and set up a free SSL/TLS certificate on the Linux CentOS server. We are using Let's Encrypt for this which provides the free SSL and is valid for 90 days. You can renew it during that time duration. We will show how to renew it too. You can find about Let's Encrypt from here.

This service is used by many people to secure their website worldwide so, it's totally trust-worthy and supported if you can't afford from other paid service provider.

2. prerequisites:

We consider you already have the following setup.

  1. Running CentOS server
  2. Running tomcat server
  3. Domain pointed to the server Ip address

3. Install Certbort and create an SSL certificate:

First, SSH into to the running CentOS server where you want to create your SSL certificate. To create an SSL certificate, we need to first install Certbort on the server so, let's do it. I recommend selecting the desired version from here, which will give the command to install Certbot.

Install Certbot:
yum -y install yum-utils
     yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional 
     sudo yum install certbot

Create a certificate:

If you have already running service which uses port 80 stop it. To obtain an SSL certificate for your domain using a built-in "standalone" webserver type the following command:
sudo certbot certonly --standalone -d
Here, replace the domain name you want to secure instead of 

which will create the following certificate file to the directory:"/etc/letsencrypt/live/"
cert.pem, chain.pem, fullchain.pem, privkey.pem.

Now, logged in as root user and go to that directory

sudo -i
cd /etc/letsencrypt/live/

Next step is to convert those certificate PEM file to password-based PFX format so that we can use in tomcat configuration. We can do this by using the OpenSSL command as below.
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password
Replace the password with your desired one. It will create a password-protected file bundle.pfx under the same directory "/etc/letsencrypt/live/" which we need to use in tomcat configuration.


4. Tomcat configuration for HTTPs:

Go to your tomcat directory, and backup the server.xml file; as we are going to change the file.
cp conf/server.xml conf/server-copy.xml
Edit the server.xml file.
sudo vi conf/server.xml  // no need to type sudo if you are logged in as root user
You can see the following commented XML tag, which we are going to change:

For Tomcat 7:

For tomcat 8:

Add the following changes near to the above XML tag or you can simply change that XML tag as below.

Here, we are changing port 8443 to 443, keystoreType as "PKCS12", keystoreFile as the path of the pfx file created previously and keystorePass as your password that we used while creating PFX file. 

Change the port 8080 to 80:

Under server.xml you can find the following tag.

change the above XML tag as below:

Here, we are changing the port from 8080 to 80 and 8443 to 443. By doing so, if your domain running with port 8080 i.e, now it will open with port 80 i.e If you type your domain in the browser then you can run it with both HTTP and https i.e and

Save the server.xml file by clicking "Esc" key and type ":wq!" and hit Enter.

As we want to always redirect our domain to https. To do so, open the web.xml file under conf/web.xml.

sudo vi conf/web.xml
Click "Shift + G" to go the end of the file and add the below code at the end of the file as below.
  <web-resource-name>Entire Application</web-resource-name>
  <!--auth-constraint goes here if you requre authentication-->

Save the file. This will always redirect to HTTPs.

5. Renew certificate:

The certificate is valid for only 90 days so we need to renew before expiry. For this, stop tomcat and type the following command:
sudo certbot renew
sudo -i
cd /etc/letsencrypt/live/
openssl pkcs12 -export -out bundle.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -password pass:password
Don't forget to use your existing password. And restart the tomcat server.


1 comment: