Tomcat SSL Handshake

Requirement is to restrict application deployed in tomcat container to access all public certificates & make SSL handshake with only organisation provided certificate.

By default all Trusted Certificate Authorities are stored is a Java keystore file [cacerts] placed at

 <Java Installation Path>\jdk1.<version>/jre/lib/security/cacerts

containing all trusted SSL certificate issued by Certificate Authority & web application deployed on tomcat can access all external web services (SOAP or REST) (https) or applications.

Requirement is to restrict tomcat to use only organisation specific certificates. To achieve the business case, we need to override the cacert file. To do this, need to create a new file that contains only required trusted certificate. Place the newly created file at

${CATALINA_BASE}/conf/cacerts

. This file contains no enteries to start off.

Once above is done, application deployed on tomcat will start throwing SSLHandshakeException for all other certificate (if application is using those) that are not listed in cacerts.

Exception seen is

javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:unable to find valid certification path to requested target

For doing above first we need to first download the trusted certificate from browser in .cer format

To trust a new Certificate Authority:
  • View the certificate presented by the server
  • Find the Certificate Authority that issued the certificate
  • Download the certificate of the Certificate Authority that issued the certificate
  • Import the Certificate Authority’s certificate in to the trusted list as test.cer
Steps to add certificate to the trusted list
  • Open Command prompt (cmd) in administrative mode
  • Navigate to /conf
  • Check the current certificates numbers in trusted list (if any, may be you are doing for first time, so skip his step) by running command
keytool -list -keystore cacerts > d:\beforecerts.txt
  • open beforecerts.txt & see of number of imported certificates - Your keystore contains n entries
  • Issue the following command to import the certificate test.cer
keytool -import -trustcacerts -alias <aliasname> -file <location>\test.cer -keystore cacerts
  • Check again current certificates numbers in trusted list
keytool -list -keystore cacerts > d:\aftercerts.txtopen aftercerts.txt
  • open aftercerts.txt & number of imported certificates - It should be incremented by 1

Now try to hit an external application that uses certificate that is not trusted by your tomcat & vica versa.

You May Also Enjoy

Define JNDI Name in Tomcat

Tomcat SSL Handshake

Secure some web pages

Tomcat SSL Handshake

Web Application with Embedded Tomcat… Run as Jar

Tomcat SSL Handshake

TimeZone Aware Tomcat!

Tomcat SSL Handshake


Dialogue & Discussion