I have been using a VPS in which I have hosted a JSP project and after spending quite a long time on the internet, I found the correct way to install the SSL certificate I bought. It is always better to follow the instructions of your certificate provider, but sometimes, these instructions can be somewhat misleading, with popular assumptions such as owning a perfect machine or having an expert knowledge on the prerequisites. In this post, I will be trying to loosen up some such problems but feel free to comment any suggestions or remarks.
I have Tomcat 8.5 running on my VPS with Apache server and in that, I have deployed a web app on the root (Let's say http://mysitesname.com/).
When you are purchasing an SSL certificate, you will be prompted to input a CSR code which can be easily generated using OpenSSL by running the following command on the command line:
This command will generate two files (server.key and server.csr. Never give away your private key ie server.key)
Once you upload the CSR code to the certificate provider, you will be asked to activate it. (Eg: you might need to place a certain file at the root of the site, respond with an admin email etc)
Once the SSL is activated, then only you can install it.
I purchased a Comodo SSL certificate and since I selected a PositiveSSL, I could download 3 files such as:
Redirecting to HTTPS
In order to redirect your domain traffic to your https domain, add the following in your conf file.
After the conf file is modified, restart the server using
If it generates an error saying Invalid command 'SSLEngine' , you will have to enable the ssl module from the commons package by running
That's it! Try browsing the site with https and ensure it is installed correctly.
The scenario
I have Tomcat 8.5 running on my VPS with Apache server and in that, I have deployed a web app on the root (Let's say http://mysitesname.com/).
Creating the CSR
When you are purchasing an SSL certificate, you will be prompted to input a CSR code which can be easily generated using OpenSSL by running the following command on the command line:
openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr
This command will generate two files (server.key and server.csr. Never give away your private key ie server.key)
Once you upload the CSR code to the certificate provider, you will be asked to activate it. (Eg: you might need to place a certain file at the root of the site, respond with an admin email etc)
Once the SSL is activated, then only you can install it.
Installing the SSL
I purchased a Comodo SSL certificate and since I selected a PositiveSSL, I could download 3 files such as:
- mysitesname_com.crt
- mysitesname_com.p7b
- mysitesname_com.ca-bundle
Let's say I downloaded those files on a folder names /home/ssl on the VPS and I copied the previously created CSR and Key files into the same folder for convenience.
Installing SSL on Apache vs Tomcat
I spent an annoyingly long time on trying to install SSL on tomcat and then realized that according to my requirement, where I had to install was on Apache. It's basically because that I had previously modified my Apache's virtualhosts file to direct to the deployed webapp. So even though the running webapp was deployed on Tomcat, the http was provided by Apache. It is because Apache is an HTTP Server, serving HTTP while Tomcat is a Servlet and JSP Server serving Java technologies. Tomcat is a servlet container. A servlet, at the end, is a Java class. JSP files (which are similar to PHP, and older ASP files) are generated into Java code (HttpServlet), which is then compiled to .class files by the server and executed by the Java virtual machine.
Once the certificate files are stored on the VPS, its only a matter of modifying Apache's virtualhosts. Since my VPS is Ubuntu, the file I must modify is /etc/apache2/sites-enabled/mysitesname.com.conf. The filename and the path may vary according to the OS installed.
The file already contained a virtual host on port 80. For this purpose a new host entry must be added on port 443 as follows:
Since I had set my webapp to be hosted on the root, my previous settings too had to be added, after which the complete entry will look like the following:
Once the certificate files are stored on the VPS, its only a matter of modifying Apache's virtualhosts. Since my VPS is Ubuntu, the file I must modify is /etc/apache2/sites-enabled/mysitesname.com.conf. The filename and the path may vary according to the OS installed.
The file already contained a virtual host on port 80. For this purpose a new host entry must be added on port 443 as follows:
Listen 443 <VirtualHost _default_:443> ServerName mysitesname.com SSLEngine on SSLCertificateFile "/home/ssl/mysitesname_com.crt" SSLCertificateKeyFile "/home/ssl/server.key" SSLCACertificateFile "/home/ssl/mysitesname_com.ca-bundle" </VirtualHost>
Since I had set my webapp to be hosted on the root, my previous settings too had to be added, after which the complete entry will look like the following:
Listen 443 <VirtualHost _default_:443> ServerName mysitesname.com SSLEngine on SSLCertificateFile "/home/ssl/mysitesname_com.crt" SSLCertificateKeyFile "/home/ssl/server.key" SSLCACertificateFile "/home/ssl/mysitesname_com.ca-bundle" ProxyPreserveHost On ProxyPass / http://mysitesname.com:8080/ ProxyPassReverse / http://mysitesname.com:8080/ </VirtualHost>
Redirecting to HTTPS
In order to redirect your domain traffic to your https domain, add the following in your conf file.
Listen 443 <VirtualHost *:80> RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} </VirtualHost>
After the conf file is modified, restart the server using
service apache2 restart
. If it generates an error saying Invalid command 'SSLEngine' , you will have to enable the ssl module from the commons package by running
sudo a2enmod ssl
and restart again. That's it! Try browsing the site with https and ensure it is installed correctly.