There are lots of tutorials on how to properly configure the Apache httpd for SSL, but not so many for the Apache Tomcat application server. Since the configuration is totally different from Apache httpd's configuration, here is a complete tutorial for creating the private key, the SSL certificate, converting the PEM format into Java's keystore format, using the intermediate certificate with Apache Tomcat, and how to configure optimal and secure settings in Tomcat's server.xml configuration file.

Create the private key and the SSL certificate

Most Apache Tomcat related tutorials explain how to create the private key, CSR and the CRT using Java's keytool program. This tutorial explains how to do it using openssl instead.

Create the private key:

$ openssl genrsa -out server.key 4096
Generating RSA private key, 4096 bit long modulus
........................................................+++
..+++
e is 65537 (0x10001)
$

Create the CSR using the private key from the previous step. Remember to use the SHA256 encryption - the default setting of SHA1 is now considered insecure.

$ openssl req -new -key server.key -out server.csr -sha256
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:NRW
Locality Name (eg, city) []:Brueggen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Arne Schirmacher
Organizational Unit Name (eg, section) []:.
Common Name (eg, YOUR name) []:www.schirmacher.de
Email Address []:arne@schirmacher.de
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:.
An optional company name []:.
$

The generated CSR file must then be used to order an official SSL certificate.

Import private key and certificate into keystore

Import intermediate certificate into keystore

The SSL certificate and the intermediate is usually delivered in the PEM format. It is not directly usable by Tomcat and must be converted into Java's keystore format.

Note

Use the same password for exporting to the p12 file and for importing in the keystore file. It does not work if the passwords are different.

To convert the PEM format to the Java keystore format, run this command:

$ openssl pkcs12 -export -in my_domain_name.crt -inkey my_domain_name.key -certfile my_domain_name.cabundle -name tomcat -out my_domain_name.p12
Enter Export Password: ********
Verifying - Enter Export Password: ********

This will store the private key, the certificate and the intermediate in a PKCS12 format file, which can then be converted into the keystore format required by Java and Tomcat:

$ keytool -importkeystore -srckeystore my_domain_name.p12 -srcstoretype pkcs12 -destkeystore keystore
Enter destination keystore password: ********
Re-enter new password: ********
Enter source keystore password: ********
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

The resulting keystore file now contains the complete certificate.

Secure SSL parameters for Apache Tomcat

The SSL example configuration in Apache Tomcat's server.xml file contains only the basic required configuration settings. It works, but contains a few obsolete and less secure SSL ciphers. Therefore we have to explicitly set the allowed ciphers. There is unfortunately no shortcut for ciphers as in the Apache httpd software, so we have to name every single cipher.

        <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS"
              ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,
              TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,
              TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
              TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
              TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
              TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
              TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,
              TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,
              TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA"
              useBodyEncodingForURI="true" keystoreFile="/path/to/keystore" keystorePass="changeit"/>

The list of ciphers is recommended by http://blog.bitmelt.com/2013/11/tomcat-ssl-hardening.html, which also provides some more insights on Tomcat and SSL ciphers.

Test with SSL Labs

My Tomcat instance with these settings is rated 'A-' by SSL Labs, which is good enough for my purposes.

  • Page:
    Configure Apache Tomcat SSL — There are lots of tutorials on how to properly configure the Apache httpd for SSL, but not so many for the Apache Tomcat application server. Since the configuration is totally different from Apache httpd's configuration, here is a complete tutorial for creating the private key, the SSL certificate, converting the PEM format into Java's keystore format, using the intermediate certificate with Apache Tomcat, and how to configure optimal and secure settings in Tomcat's server.xml configuration file.
  • Page:
    Apache SSL Zertifikat erstellen — Dieser Artikel beschreibt die Erstellung und Installation eines SSL-Zertifikats für den Apache 2.x Webserver, sowohl für Linux als auch für Windows.
  • Page:
    chroot Umgebung für Apache und Tomcat — Eine chroot-Umgebung ist ein nützliches Hilfsmittel, um auf einem Server im Internet Dienste wie z.B. einen Webserver oder einen Application Server zu betreiben und gleichzeitig mögliche Einbruchsversuche zu erschweren.

1 Comment

  1. Anonymous

    Hello, this tutorial really helped me. But which settings are needed for an A+ in SSLLabs?