How to use PKCS #12 archives with Apache Tomcat for Transport Layer Security (TLS). TLS superseded the Secure Sockets Layer (SSL) protocol.

In the following example, we create a Tomcat TLS connector and use a PKCS #12 file as keystore.

Directory layout ../Tomcat/
../Tomcat/
| certificates/
| | file.p12
| conf/
| | server.xml

The file file.p12 contains the private key and the file server.xml contains the password for the certificate. Make sure that only the Tomcat process can access them.

The password for the certificate’s private key must match that for the PKCS #12 file.

Tomcat version 8, 9 and 10

server.xml
<!-- TOMCAT TLS CONNECTOR -->
<Connector
    port="8443"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        SSLEnabled="true"
        scheme="https"
	secure="true"
    >
    <SSLHostConfig>
        certificateVerification="optional"
        <Certificate
            certificateKeystoreType="PKCS12"
            certificateKeystoreFile="certificates/<file>.p12" (1)
            certificateKeystorePassword="<password>" (2)
        />
    </SSLHostConfig>
</Connector>

  1. Adapt certificateKeystoreFile and

  2. certificateKeystorePassword to your environment

Tomcat version 7

We need a different config for Tomcat 7.

server.xml
<!-- TOMCAT 7.x TLS CONNECTOR -->
<Connector
    port="8443"
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        SSLEnabled="true"
        scheme="https"
        secure="true"
        clientAuth="false"
        keystoreType="PKCS12"
        keystoreFile="certificates/<file>.p12" (1)
        keystorePass="<password>" (2)
/>

  1. Adapt keystoreFile and

  2. keystorePass to your environment

After restarting Tomcat, you can connect to TCP port 8443 via HTTP over TLS (HTTPS), for example.