Knowledge Base
How to Import and Configure an Existing SSL/TLS Certificate for HTTPS on Apache Tomcat (with IIS/Apache conversion examples)
Overview
This guide provides the step-by-step process for importing an existing SSL/TLS certificate (from IIS or Apache) and configuring Apache Tomcat to enable secure HTTPS communication using the recommended SSLHostConfig approach. This ensures encrypted traffic and proper certificate handling in supported Tomcat versions.
Applies to
Apache Tomcat versions:
- Tomcat 11.0.x (Jakarta EE) – latest: 11.0.20 (requires Java 17+)
- Tomcat 10.1.x (Jakarta EE 10) – latest: 10.1.53 (requires Java 11+)
- Tomcat 9.0.x (Java EE 8 / javax.*) – latest: 9.0.116 (requires Java 8+)
Prerequisites
- Administrative access to the Tomcat server (to edit conf/server.xml and restart Tomcat).
- Certificate material in one of these formats: PFX/P12 (PKCS12) or CRT/KEY (PEM).
- OpenSSL installed (if you need to convert from PEM to PKCS12).
- A secure method to store and handle certificate passwords.
Tomcat supports PKCS12 (.p12/.pfx) and JKS keystores. IIS commonly exports certificates as PFX (which is a PKCS12 file). Apache HTTP Server typically uses separate .crt / .key files rather than Java keystores.
Procedure
Step 1: Convert certificate to PKCS12 (if required)
If you have an Apache-style certificate (.crt) and private key (.key), you can convert them into a single PKCS12 file (.p12) for Tomcat.
Command:
openssl pkcs12 -inkey private.key -in SectigoSSLserver.crt -export -out pkcs12keypair.p12
Notes:
- You will be prompted for a PEM pass phrase (if your private key is encrypted) and an export password for the new PKCS12 file.
- Replace file names/paths to match your environment.
Step 2: Configure Tomcat for HTTPS
Copy the PKCS12 file (for example, pkcs12keypair.p12) to the Tomcat server, then configure HTTPS in conf/server.xml.
Recommended configuration: In Tomcat (9.0+), configure HTTPS using a <Connector> with SSLHostConfig / Certificate.
Tip: Some older guides show configuring TLS by putting keystoreFile/keystorePass directly on the <Connector>. For Tomcat 9+, prefer SSLHostConfig / Certificate (especially if you need SNI or plan to host multiple certificates).
Tomcat server.xml examples (SSLHostConfig)
Example 1: PKCS12 (.p12/.pfx)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="C:/keystore/newstore.p12"
certificateKeystoreType="PKCS12"
certificateKeystorePassword="changeit" />
</SSLHostConfig>
</Connector>
Example 2: PEM files (certificate/key/chain)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true">
<SSLHostConfig protocols="TLSv1.2,TLSv1.3">
<Certificate certificateFile="conf/server.crt"
certificateKeyFile="conf/private.key"
certificateChainFile="conf/chain.crt" />
</SSLHostConfig>
</Connector>
Example 3: SNI (multiple certificates)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"
defaultSSLHostConfigName="example.com">
<SSLHostConfig hostName="example.com">
<Certificate certificateKeystoreFile="C:/keystore/example.p12"
certificateKeystoreType="PKCS12"
certificateKeystorePassword="changeit" />
</SSLHostConfig>
<SSLHostConfig hostName="api.example.com">
<Certificate certificateKeystoreFile="C:/keystore/api.p12"
certificateKeystoreType="PKCS12"
certificateKeystorePassword="changeit" />
</SSLHostConfig>
</Connector>
Validation
- Restart Tomcat and confirm the HTTPS connector starts without errors in the logs.
- Browse to https://<hostname>:8443/ (or your configured HTTPS port) and confirm the certificate presented is the expected one.
- If you are using SNI, test each hostname (for example, https://example.com:8443/ and https://api.example.com:8443/) and confirm the correct certificate is returned for each name.
Troubleshooting
Common gotcha (configuration style):
- Avoid mixing legacy Connector SSL attributes (for example, older style keystoreFile/keystorePass and other SSL properties directly on the Connector) with SSLHostConfig/Certificate configuration in the same Connector.
- If Tomcat can’t match the SSL configuration, you may see errors such as “_default_ SSLHostConfig not found” or messages indicating that a certificate source (keystore or certificateFile/certificateKeyFile) is missing.
- Use one consistent approach per Connector.
Where to check logs:
Review logs/catalina.out (Linux) or the Tomcat logs directory (Windows service installs may log to separate service logs) for SSL initialization errors.
Optional (JKS):
- If you need to use a JKS keystore instead of PKCS12, create a new JKS keystore and import the PKCS12 keypair using the keytool command.
- Then reference it in server.xml via SSLHostConfig, for example by setting certificateKeystoreFile to your .jks file and certificateKeystoreType to JKS.
Need help?
Need help making a purchase? Contact us today to get your certificate issued right away.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
