* Create a self signed keystore named tomcat.keystore in the %CATALINA_HOME%\conf directory.
keytool.exe -genkey -alias tomcat -keyalg RSA -storepass changeit -keypass changeit -dname "cn=localhost" -keystore tomcat.keystore
* Config Tomcat conf/server.xml to use generated keystore:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="C:/prog/apache-tomcat-5.5.29/conf/tomcat.keystore" keystorePass="changeit" />
For two way SSL
* Import trusted certificate(s) into truststore named tomcat.truststore in the %CATALINA_HOME%\conf directory.
keytool.exe -import -v -keystore tomcat.truststore -alias client -storepass changeit -file client.cert
* Config Tomcat conf/server.xml to use both keystore and truststore:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="true" sslProtocol="TLS" truststoreFile="C:/prog/apache-tomcat-5.5.29/conf//tomcat.truststore" truststorePass="changeit" keystoreFile="C:/prog/apache-tomcat-5.5.29/conf/tomcat.keystore" keystorePass="changeit" />
* Restart Tomcat
* Test by pointing browser to https://localhost:8443
Errors
ssl_error_rx_record_too_long
* When pointing browser to https://localhost:8443, browser gives error message:
SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long)
* Possible cause:
– truststoreFile attribute is not setup correctly.
– truststoreFile value needs to be full path, partial path does not seem to work.
– in Windows environment, path needs to use unix style slashes, i.e. / NOT \.