Overview
This guide explains how to configure HTTPS (SSL/TLS) for an application server using a certificate issued by a Certificate Authority (CA) and the Java keytool utility.
The process includes:
1) Creating a keystore and generating a private key
2) Generating a Certificate Signing Request (CSR)
3) Importing signed certificates from the Certificate Authority
4) Configuring the application server to use the keystore
5) Testing the HTTPS connection
⚠️ The exact configuration of the application server may vary depending on the server software being used.
Always verify SSL configuration compatibility with your specific application server.
1. Create a Keystore and Private Key
Use the Java keytool utility to create a keystore and generate a key pair.
keytool -genkeypair -alias <key_alias> -keyalg RSA -keysize 2048 -keystore <keystore_file> -validity 365
Paramaters explanation
| Parameter | Description |
|---|---|
-genkeypair |
Creates a new key pair (private key + self-signed certificate). |
-alias <key_alias> |
Unique name identifying the key inside the keystore. This alias will later be used by the application server to locate the private key. |
-keyalg RSA |
Specifies the encryption algorithm used for the key pair. RSA is commonly used for SSL certificates. |
-keysize 2048 |
Defines the key size in bits. 2048 is a common secure size. |
-keystore <keystore_file> |
The name of the keystore file that will be created. The keystore stores private keys and certificates. |
-validity 365 |
Defines how long the generated certificate will remain valid (in days). |
During execution, the command will prompt you for:
- Keystore password
- Organization details
- Common Name (CN)
The Common Name (CN) must match the fully qualified domain name (FQDN) of the server.
Example:
api.example.com
2. Generate a Certificate Signing Request (CSR)
The CSR is sent to the Certificate Authority to issue a trusted certificate.
keytool -certreq -alias <key_alias> -file <csr_file> -keystore <keystore_file>
Parameters explanation
| Parameter | Description |
|---|---|
-certreq |
Generates a certificate signing request. |
-alias <key_alias> |
The alias of the private key that the CSR will be generated for. |
-file <csr_file> |
Output CSR file. |
-keystore <keystore_file> |
The keystore containing the private key. |
The resulting file should be sent to the Certificate Authority (CA).
The CA typically returns:
- Server certificate
- Intermediate certificate(s)
- Root certificate
3. Import Certificates into the Keystore
Certificates must be imported in the correct order to form a valid certificate chain.
3.1 Import the Root Certificate
keytool -import -alias <root_alias> -file <root_certificate> -keystore <keystore_file>
Parameters
| Parameter | Description |
|---|---|
<root_alias> |
Alias name for the root certificate entry. |
<root_certificate> |
Root certificate file provided by the CA. |
<keystore_file> |
The keystore where the certificate will be stored. |
3.2 Import the Intermediate Certificate
keytool -import -alias <intermediate_alias> -file <intermediate_certificate> -keystore <keystore_file>
Parameters
| Parameter | Description |
|---|---|
<intermediate_alias> |
Alias name for the intermediate CA certificate. |
<intermediate_certificate> |
Intermediate certificate file provided by the CA. |
<keystore_file> |
Target keystore. |
3.3 Import the Server Certificate
The server certificate must be imported using the same alias as the private key.
keytool -import -alias <key_alias> -file <server_certificate> -keystore <keystore_file>
Parameters
| Parameter | Description |
|---|---|
<key_alias> |
Alias of the private key created in Step 1. |
<server_certificate> |
Signed certificate returned by the Certificate Authority. |
<keystore_file> |
Target keystore. |
4. Verify the Certificate Chain
After importing the certificates, verify that the certificate chain was created correctly.
keytool -list -v -alias <key_alias> -keystore <keystore_file>
Parameters
| Parameter | Description |
|---|---|
-list |
Lists the entries stored in the keystore. |
-v |
Displays detailed certificate information. |
<key_alias> |
Alias of the private key entry. |
<keystore_file> |
Target keystore. |
Expected result:
Entry type: PrivateKeyEntry
Certificate chain length: 3
Typical certificate chain order:
Certificate[1] → Server Certificate
Certificate[2] → Intermediate CA
Certificate[3] → Root CA
5.Configure the Application Server
The keystore must be referenced in the server's SSL configuration.
Example generic configuration parameters:
SSL Enabled: true
HTTPS Port: 8443
Keystore File: <path_to_keystore>
Keystore Password: <keystore_password>
Key Alias: <key_alias>
SSL Protocol: TLS
⚠️ The exact configuration syntax depends on the application server.
Consult the server documentation to verify the correct SSL configuration method.
Example: HTTPS Configuration using a Java Keystore (Tomcat server.xml)
The following example demonstrates how an HTTPS connector may be configured in a server that uses a Java keystore.
⚠️ This is only an example configuration.
Different application servers use different configuration formats.
<!-- Example HTTP connector -->
<Connector port="8080"
protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- Example HTTPS connector -->
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="<path_to_keystore>"
keystorePass="<keystore_password>"
keyAlias="<key_alias>"
clientAuth="false"
sslProtocol="TLS"/>
<!-- Optional AJP connector -->
<Connector port="8009"
protocol="AJP/1.3"
redirectPort="8443"/>
Explanation of Configuration Parameters
| Parameter | Description |
|---|---|
port |
Port used by the HTTPS connector (commonly 8443). |
protocol |
HTTP protocol implementation used by the server. |
SSLEnabled |
Enables SSL/TLS encryption. |
scheme="https" |
Indicates that the connector handles HTTPS traffic. |
secure="true" |
Marks the connection as secure. |
keystoreFile |
Path to the Java keystore containing the server certificate and private key. |
keystorePass |
Password used to access the keystore. |
keyAlias |
Alias of the private key stored in the keystore. |
sslProtocol |
Defines the TLS protocol used for encrypted communication. |
clientAuth |
Indicates whether client certificate authentication is required. |
Placholder Example:
<path_to_keystore> → /opt/app/security/server_keystore.jks
<keystore_password> → changeit
<key_alias> → server-cert
6.Restart the Application Server
Restart the server to apply the new HTTPS configuration.
Check the server logs for SSL initialization messages.
Typical log example:
Initializing HTTPS connector
Starting SSL listener
7.Test HTTPS Connectivity
Test using curl
curl -vk https://<server_hostname>:<port>
Parameters
| Parameter | Description |
|---|---|
-v |
Enables verbose output. |
-k |
Allows insecure SSL connections (useful for testing). |
<server_hostname> |
Hostname or FQDN of the server. |
<port> |
HTTPS port configured on the server. |
Troubleshooting
Different keystore format
Occurs when the server expects a different keystore format.
Possible causes:
PKCS12 keystore used where JKS is expected
Corrupted keystore file
Verify keystore type:
keytool -list -keystore <keystore_file>
Certificate chain length = 1
This means the server certificate was imported without the CA certificates.
Solution:
Import certificates in this order:
1) Root CA
2) Intermediate CA
3) Server certificate
Alias mismatch
If the server cannot locate the private key, the alias configured in the server must match the alias used during keystore creation.
Example:
Key Alias: <key_alias>
Summary
HTTPS configuration generally includes the following steps:
- Create a keystore and private key
- Generate a CSR
- Obtain certificates from a Certificate Authority
- Import certificates into the keystore
- Verify the certificate chain
- Configure the application server to use the keystore
- Restart the server
- Test the HTTPS endpoint
Top comments (3)
Some comments may only be visible to logged-in visitors. Sign in to view all comments.