How to Configure Apache Tomcat With Fully Managed TLS Certificates

Configure Apache Tomcat With Fully Managed TLS Certificates

Apache Tomcat is a popular open source application server used on Red Hat Enterprise Linux (RHEL), Ubuntu Server, other Linux distributions, MacOS, and Windows Server.  One of the most critical best practices for securing Tomcat is to configure SSL/TLS (HTTPS) using a trusted certificate from your enterprise CA or commercial CA.  Most of the documentation found online on how to configure SSL/TLS for Tomcat provides instructions for creating a self-signed certificate.  Self-signed certificates are not secure and should be avoided.

CertAccord© Enterprise can automatically create X.509 certificates from Microsoft ADCS and other CA platforms. The certificates are fully managed including automatic renewal. Certificates can be exported into multiple formats including PEM, PKCS12 (P12), and JKS. The resulting PEM, PKCS12, and JKS files will be automatically renewed and updated by CertAccord prior to expiration. For more information on how this works visit the CertAccord Enterprise page.

Tomcat requires certificates and their associated key and CA trust be bundled into a JKS or PKCS12 file, both of which are supported by CertAccord Enterprise. This procedure describes how to use CertAccord Enterprise to create and automatically renew X.509 certificates for Tomcat.  The certificates are created/issued by a Microsoft ADCS Certificate Authority and managed by CertAccord Enterprise.

This document assumes CertAccord Enterprise is already configured in your environment. Installing CertAccord Enterprise can be done relatively quickly and painlessly in a few hours to a few days.

CertAccord Enterprise Agent is supported on Linux, Mac, Unix, and Windows.  The commands in this document are the same on all platforms with only the pathnames differing.

Step By Step Guide


Install and register CertAccord Enterprise Agent on the target system with Tomcat. See the CertAccord Enterprise Installation Guide for details.


Create a certificate in JKS format from CertAccord:

acme% cmb cert create usages=serverauthentication alias=mycert certstoragefmt=jks
Authenticate using CertAccord/Active Directory
Username: jsmith
Created certificate ID: d2pN78bQ SUBJECT: "" SERIAL: 2500009c USAGES: ServerAuthentication EXPIRES: Dec 02 2020 07:20:02 PST
Adding certificate + private key [ID: 3HM836fC [RSA 2048]] to /var/cmb/cert/
Exported [ADDED] FILE: /var/cmb/cert/
ENTRY: [ADDED] PRIVATEKEY "Private Key 3HM836fC" RSA 2048
ENTRY: [ADDED] "Certificate d2pN78bQ" SUBJECT: "" USAGES: ServerAuthentication
ENTRY: [ADDED] TRUSTCERTIFICATE "Contoso Issuing CA2" SUBJECT: "CN=Contoso Issuing CA2, DC=contoso, DC=com"
Exported JKS Config File [NoChange] FILE: /var/cmb/cert/

The alias of “mycert” can be whatever you wish.

Review the output and take note of these files that will be used later:



Configure Tomcat to use the file.  This file is encrypted and the password to decrypt the file is located in

Key Takeaways

A few key take-aways:

  1. Because the certificate was created by the enterprise CA and is not self-signed, the certificate is automatically verifiable by any application in the enterprise.
  2. The Agent manages the life-cycle of the certificate.  That means it will automatically renew the certificate without any human intervention.
  3. It’s easy to automatically enroll or push certificates to Mac, Linux, and Windows end-points using CertAccord Enterprise.


This process describes how to configure Tomcat to use SSL/TLS over HTTPS using a trusted enterprise issued certificate. This avoids all the problems associated with self-signed certificates and does so utilizing the automation of CertAccord Enterprise.

Learn More

To learn more about CertAccord Enterprise, please reach out to us today:

Schedule A Demo