Strictly speaking a tomcat issue. Hope it might help. For HTTPS negotiation tomcat needs a "keystore". Sadly this is very different from other servers (dovecot IMAP, apache Web) and it is a bit tricky to accomplish.

This is the result of my research today, pls follow up if there's an easier method.

On your linux box you need openssl and a Java JDK(!). Here come the steps:

1 generate the private key (note down the secret you used!)

openssl genrsa  -aes128 2048 -days 3650 >  tomcat_key.pem

2 generate the certificate signing request

openssl req -new -key tomcat_key.pem -out tomcat_csr.pem

3 sign that certificate request

a) externally (for serious production work) give the file tomcat_csr.pem (not your key!) to Verisign, A-trust or any other organisation to have it signed by a reconized authority

OR b) sign it yourself (provided you have setup a CertificateAuthority)

openssl ca -out  tomcat_cert.pem -infiles tomcat_csr.pem

OR c) create a self-signed certificate that way you don't need a Certificate Authority set up, but certain version of MS-Win programs (>Office2010) don't trust selfsigned certs, they want the two step version (b)

openssl x509 -req -days 3650 -in tomcat_csr.pem -signkey tomcat_key.pem -out tomcat_cert.pem

=================================================================== here we have all what "normal" servers need: a key and a signed certificate. The method to stuff them into the tomcat keystore file is tedious:

4 Convert them to .der file format (have your secret ready)

openssl pkcs8 -topk8 -nocrypt -in tomcat_key.pem -inform PEM -out tomcat_key.der -outform DER

openssl x509 -in tomcat_cert.pem -inform PEM -out  tomcat_cert.der -outform DER

5 get the comverter program

Get source code from here: Attention: change .java soufce file, locate the following section

// change this if you want another password by default
String keypass = "your-private-key-secret-from-step1";   
// change this if you want another alias by default
String defaultalias = "tomcat";

make sure the keypass is the same(!) secret you used for you key in step 1

6 compile the java helper proggy


Should not fail and produce ImportKey.class (the compiled java program)

7 mix key and secret into single tomcat keystore file

CLASSPATH=.:$CLASSPATH  java ImportKey tomcat_key.der tomcat_cert.der

the keyfile now resides in your homdirectory and is named keystore.ImportKey

8 configure tomcat

locate the file server.xml and edit it as follows. Somewhere below the tag <service name="Catalina"> insert the following, picking any unused port number for your https endpoint (I used 27779 here):

<Connector port="27779"                   <<< note your port number!
           sslProtocol="TLS" />

9 bounce tomcat and check catalina.out logfile

tail -f /data/FormspiderServer/apache-tomcat-6.0.29/logs/catalina.out

10 Test

Point your browser to your tomcat host using the portnumber you choose in step 8 https://your-formspider-host:27779/ or if working on the tomcat machine itself https://localhost:27779/

11 Troubleshooting

There is a high probability that from the outside world port 27779 of your tomcat server is not reachable. Talk to your firewall guys to have the port forwarded to your server.

If someone knows a shortcut simplifying steps 4. 5. 6. 7. please add to this thread!

asked 12 Nov '14, 10:02

dipr's gravatar image

accept rate: 0%

wikified 19 Nov '14, 08:52

Serdar's gravatar image

Serdar ♦♦

Hi Paul,

Thank you very much for posting this. I am sure it'll help every Formspider developer who wants to set up an HTTPS connection.

Kind Regards,

(12 Nov '14, 10:05) Yalim ♦♦
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: 12 Nov '14, 10:02

Seen: 4,260 times

Last updated: 19 Nov '14, 08:52

© Copyright Gerger 2017