HTTPS

Common steps

1. Prepare

  • Before a HTTPS connection is created and linked to a Java Key Store (JKS), make a backup of the multiserver.conf file.
  • Use CMD to add Keytool to your path (use the real path to keytool) e.g.:
SET PATH=%PATH%;%PROGRAMFILES%\java\jre8\bin

2. Generate an X509 Certificate and Keystore

keytool -genkey -alias noodle.domain.tld -keysize 2048 -validity 365 -keyalg RSA -keystore noodle.pfx

SSL SNI is achieved with multiple SSLHostConfig-s.
Once this command has been entered, Keytool will ask some questions regarding your company. Enter information as follows:

  • Keystore Password: The first time you run this tool, it will create the keystore file protected by a password. You will need this password every time you access the keystore file.
  • First and Last name: the domain name, for example noodle.domain.tld .
  • Name of organizational unit: This is not the company name, but may be an internal department, e.g. Marketing Department.
  • Name of your organization: Your company name, e.g. Vialect Inc.
  • City or location, e.g. Windsor
  • State or Province, e.g. Ontario
  • 2-Letter Country code, e.g. CA
  • Certificate password: This can be the same as the password for the keystore file.

3. Get your Certificate signed

Popular Certificate Authorities (CA) include Let's Encrypt, Thawte, VeriSign, GoDaddy, Network Solutions.

  • Make a certificate signing request (CSR):
keytool -certreq -sigalg MD5withRSA -alias noodle.domain.tld -keystore noodle.pfx -file noodlecert.csr

Select "Tomcat" as the format when downloading your signed public key from your CA.

  • Import root certificates, if required:
keytool -import -alias carootcert -trustcacerts -file ca-root.crt -keystore noodle.pfx
  • Import intermediate certificates, if required:
keytool -import -alias intermediate -trustcacerts -file intermediate.crt -keystore noodle.pfx
  • Apply the Certificate Signature:
keytool -import -alias noodle.domain.tld -trustcacerts -file noodlecert.crt -keystore noodle.pfx

4. Create a HTTPS Connection

Edit server.xml by adding and adjusting the following example:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" defaultSSLHostConfigName="null" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig hostName="null" protocols="TLSv1.2,TLSv1.3">
        <Certificate type="RSA" certificateKeystoreFile="/opt/Noodle/noodle.pfx" certificateKeystorePassword="123456"/>
    </SSLHostConfig>
</Connector>

Noodle can now be accessed using the HTTPS protocols.

Options

Let's Encrypt

Consider a free certificate (not self signed) as an alternative to not using SSL. server.xml example:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="443" defaultSSLHostConfigName="noodle.domain.tld" SSLEnabled="true" >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig hostName="noodle.domain.tld" protocols="TLSv1.2,TLSv1.3">
    <Certificate
        certificateKeyFile="/etc/letsencrypt/live/noodle.domain.tld/privkey.pem"
        certificateFile="/etc/letsencrypt/live/noodle.domain.tld/cert.pem"
        certificateChainFile="/etc/letsencrypt/live/noodle.domain.tld/fullchain.pem"
        type="RSA" />
    </SSLHostConfig>
</Connector>

Linux script

example

Redirect HTTP to HTTPS

Read how here.

Use Strong Encryption

Read how here.

Converting

Converting is not required as jks, pfx(pkcs12), pem are all supported.