SSL Configuration using Java Keystore

From LogicalDOC Community Wiki
Jump to navigationJump to search

LogicalDOC embeds the Tomcat application server and it can be configured to support the encrypted protocol HTTPS. This is useful when you want to expose the program on the Internet.

Note idea.png Please be aware that this procedure is not coverded by the standard support contract.
In case you want this matter to be handled professionally, please write to for a quote.

Basically you only have to follows the steps described in the Apache how-to at SSL Configuration HOW-TO What follows is a re-visioned extract from that how-to

Prepare the certificate Keystore

To install and configure SSL support on Tomcat, you need a keystore that is a file containing one or more certificates Tomcat currently operates on JKS format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility. This tool is included in the JDK.

Each entry in a keystore is identified by an alias string. To import an existing certificate into a JKS keystore, please read the documentation (in your JDK documentation package) about keytool.

To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:


   %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA


   $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

(The RSA algorithm should be preferred as a secure algorithm, and this also ensures general compatibility with other servers and components.)

This command will create a new file, in the home directory of the user under which you run it, named ".keystore". To specify a different location or filename, add the -keystore parameter, followed by the complete pathname to your keystore file, to the keytool command shown above. You will also need to reflect this new location in the server.xml configuration file, as described later. For example:


   %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA \
     -keystore <LDOC_HOME>\conf\keystore


   $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA \
     -keystore <LDOC_HOME>/conf/keystore

replace <LDOC_HOME> with the installation path of LogicalDOC

After executing this command, you will first be prompted for the keystore password. The default password used by Tomcat is "changeit" (all lower case), although you can specify a custom password if you like. You will also need to specify the custom password in the server.xml configuration file, as described later.

Next, you will be prompted for general information about this Certificate, such as company, contact name, and so on. This information will be displayed to users who attempt to access a secure page in your application, so make sure that the information provided here matches what they will expect.

Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself. (Currently, the keytool prompt will tell you that pressing the ENTER key does this for you automatically.)

If everything was successful, you now have a keystore file with a Certificate that can be used by your server.

Edit the Tomcat configuration file

The final step is to configure your secure socket in the <LDOC_HOME>/tomcat/conf/server.xml file, where <LDOC_HOME> represents the base directory for the LogicalDOC installation. An example <Connector> element for an SSL connector looks something like this:

   <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
              port="8443" maxThreads="200"
              scheme="https" secure="true" SSLEnabled="true"
              keystorePass="changeit" clientAuth="false" sslProtocol="TLS"
              URIEncoding="UTF-8" server="Undisclosed/8.41" />

replace <LDOC_HOME> with the installation path of LogicalDOC

Note idea.png LogicalDOC application will be updated from time to time so it is not safe to maintain the keystore inside the tomcat/ folder, please put your keystore inside the conf/ folder of the LogicalDOC installation path.

The port attribute (default value is 8443) is the TCP/IP port number on which Tomcat will listen for secure connections. You can change this to any port number you wish.

If you change the port number here, you should also change the value specified for the redirectPort attribute on the non-SSL connector. This allows Tomcat to automatically redirect users who attempt to access a page with a security constraint specifying that SSL is required.

After completing these configuration changes, you must restart LogicalDOC as you normally do, you should be able to access via SSL. For example, try:


and you should see the usual login page.

Importing a certificate

Please note that each certificate issuer is different and the procedure to install their certificates in Tomcat may be differ.

It is responsibility fo your certificate issuer to provide you with a tutorial on installing the certificate in Tomcat. So refer to your certificate issuer for getting help.

For your convenience, here below is a list of How-Tos from different issuers:

In general, if you have your Certificate you can import it into you local keystore. First of all you have to import a so called Chain Certificate or Root Certificate into your keystore. After that you can proceed with importing your Certificate.

  • Download a Chain Certificate from the Certificate Authority you obtained the Certificate from.
 For Entrust commercial certificates go to:
 For Verisign commercial certificates go to:
 For Thawte go to:
 For GoDaddy go to:
  • Import the Chain Certificate into your keystore
         keytool -import -alias root -keystore <your_keystore_filename> \
         	-trustcacerts -file <filename_of_the_chain_certificate>
  • And finally import your new Certificate
         keytool -import -alias tomcat -keystore <your_keystore_filename> \
         	-file <your_certificate_filename>