Security first should be the thumb rule for any organization to secure your hard-working code from hackers. It becomes more important while traveling application data over public networks. For this situation, we need to implement end-to-end encryption using TLS. This tutorial helps you to issue a new let’s encrypt SSL certificate and configure it with the Tomcat web server.


This tutorial doesn’t cover the Tomcat installation. We are assuming that you already have a Tomcat server running on your system. You can visit Tomcat installation tutorials.

Step 1 – Installing Certbot

Certbot is a command-line utility to create and manage Let’s Encrypt SSL certificates. Which is available for most of the operating systems. Debian-based users can install certbot by running the following command. Other operating system users can install it from here. Next, create the SSL certificate for your domain. Make sure the domain is already pointed to the tomcat server from DNS. For this tutorial, I am using the subdomain. Once the certificate issued, you can see all the related files at below location: These are all the files you need for the SSL certificate setup.

Step 2 – Configure Tomcat with Let’s Encrypt SSL

Next, configure your Tomcat server to listen on the secure protocol. By default, Tomcat uses 8443 to listen for SSL/TLS requests. Copy SSL certificate’s and private key files under /opt/tomcat/conf directory: Then edit the conf/server.xml file available under the Tomcat home directory. In my case Tomcat is installed under /opt/tomcat, So use the below command to edit the configuration file. Remove to uncomment the following section in configuration file. Also add the certificate section with your certificate files. The configuration will be look like: Press CTRL+O to save changes and CTRL+X to exit from the editor. Now, restart the Tomcat service to apply changes. That’s it. You have configured Let’s Encrypt SSL with Tomcat. The next step is to verify the setup.

Step 3 – Verify Tomcat SSL Certificate

Default tomcat with SSL listens on 8443 port. Use your domain with an 8443 port to access Tomcat over the secure socket layer.

That’s it. You have successfully configured Let’s Encrypt SSL with Tomcat.

Step 4 – Renew SSL Certificate

The default Let’s Encrypt SSL certificates expire in 90 days. You can easily refresh your SSL certificate anytime within 30 days of expiration. Type the below command to refresh the SSL certificate. Once successfully renewed. Copy the newly generated certificate files to the Tomcat conf directory. Restart the Tomcat service to apply changes.


In this tutorial, You have learned to set up the Let’s Encrypt SSL certificate with the Tomcat web server. Additionally provides you with steps to renew your SSL certificate.

How To Secure Tomcat with Let s Encrypt SSL   TecAdmin - 60