I finally had it with Chrome not allowing me to run a non-https site for local development, so I’m trying to configure Lucee 5.x on Windows 11 to serve local.mydomain.com:8888 using https. I created my cert using opensll following these instructions:

https://medium.com/@coxpert/get-https-working-in-windows-10-11-with-localhost-dev-environment-8fc5e5c63652

I’ve already configured local.mydomain.com to map to localhost through my hosts file. Now I need to somehow tell the Lucee internal tomcat server to use my new cert. How do I do this? I assume that I need to somehow modify my server.xml file, or web.xml file.

Thanks in advance!

Here is how to setup an SSL in tomcat 9.
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Thanks @Terry_Whitney… have you done this? I’ve been trying to get it to work but not having any success. I created the cert using keytool and now I’m trying to specify the correct connector in the server.xml file. The section titled Edit the Tomcat Configuration File has a lot of options that I don’t completely understand. Thanks!

I use https://www.win-acme.com/ to create the certificate for my live websites as well as the test server websites. The trick is to get the dns right. I use a subdomain on my real domain that points to the local machine. Obviously only works from my local network. So for example test.mydomain.com points to 192.168.0.10. People outside my network won’t get the website but inside my network it works. The certificate is already trusted so you don’t have to mess with tomcat.

Thanks @Bigfoot2 … The issue I’m currently having has to do with configuring my tomcat ssl connector. In my catalina log file, I’m getting the error: Algorithm HmacPBESHA256 not available and I’m pretty sure it has something to do with reading the certificate I made using keytool as described here:

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html

Regarding your reply, I am pointing local.mysite.com to the correct local server from my server’s hosts file as well as through my router so that I can also access it from other devices. This has already been working, but thank you for the info.

I am pretty sure that the certificate generated by the tool I suggested already is preloaded in tomcat. I never had to touch tomcat. You need to mess with tomcat only if you are self signing a certificate. The tool I mentioned crates free ssl certificates

typo… creates free ssl certs that you can even use on your live site as well as your test site!

@Redtopia I did an SSL Install in the past and managed it get ir working on Tomcat. Main problem I had was to get the correct certificate format for Tomcat to be able to read it as described in “III. Translate the generated keys to a tomcat readable format”. Here is how I did it, just copying & pasting it here form my own docs (didn’t had much time to reread/retest it, it’s just like I had it in my docs, you also need to recheck if the algorithms I used here still are safe to use):

Create Selfsigned Certificate For Lucee and Tomcat 9.0

This is an example of creating a TLS connection using Lucee with tomcat

I. Install openSSL:

If not already installed, you can create your keys with openSSL shipped with the cygwin project or with Win32OpenSSL

Option a) Install openSSL with help of Cygwin:

• Go to Cygwin Installation
• Download setup file for your Windows OS Version
• Right Click the setup file and run as administrator
• click on “continue”
• Select “Install from Internet” and “continue”
• Set “root directory” of your choice and “Install For ‘All users’” as recommended and “continue”
• Set “Local Package Directory” of your choice and “continue”
• Select “direct connection” and “continue”
• Select a Download Site of your choice and “continue”
  After this some setup files will be downloaded and when finished you will be able to “Select Packages”.
• Enter the term “openSSL” in the search box
• Uncollapse “All → Base” by clicking on the plus sign. You will see the package
  of openSSL marked as “Skip” in the “new” column. Set the value from “Skip” to the openSSL Version
  you wish to use. We will go with 1.1.1d-1. This will select all further dependencies needed automatically.
  Click on “continue” and “continue”. This will download all the files and dependencies.
• “Create an Deskatop Icon” and “continue”

Option b) Install openSSL with Win32OpenSSL

• go to Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
• download openSSL for your Windows OS Version
• run downloaded setup file
• Accept the license agreement and click on “next” until the final installation.

II. Create a self signed certificate for the domain “localhost”.

• Create a directory called d:\keystores
• Create a configuration file named “d:\keystores\domains.ext” with the following content:

[dn]
CN=localhost

[req]
distinguished_name = dn

[EXT]
subjectAltName=DNS:localhost
keyUsage=digitalSignature
extendedKeyUsage=serverAuth

• Open a Cygwin-Terminal by double clicking the cygwin icon on your desktop or open a cmd terminal
  by pressing the WINDOWS-Key + R, then enter ‘cmd’ and click ‘ok’ and enter the following command:

openssl req -x509 -out d:/keystores/localhost.crt -keyout d:/keystores/localhost.key -newkey rsa:2048 -nodes -sha256 -subj /CN=localhost -extensions EXT -config d:/keystores/domains.ext

This will generate a RSA private key localhost.key and a signed certificate localhost.crt

III. Translate the generated keys to a tomcat readable format pkcs12 with the file extension .p12

• Open a Cygwin-Terminal by double clicking the cygwin icon on your desktop or open a cmd terminal
  by pressing the WINDOWS-Key + R, then enter ‘cmd’ and click ‘ok’ and enter the following command:

openssl pkcs12 -export -in d:/keystores/localhost.crt -inkey d:/keystores/localhost.key -out d:/keystores/localhost.p12

Enter a export password: myexportpassword
Enter export password again for verification

This will generate a localhost.p12 file that can be used for tomcat

IV. Set tomcat to use the key localhost.p12

• Open tomcat server configuration file “[tomcats_installation_path]conf/server.xml”
• find the connector section for port 8443 and set it up as follows:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="D:/keystores/localhost.p12" keystorePass="myexportpassword"
           ciphers="TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:TLS_ECDHE_ECDSA_WITH_AES_128_CCM:TLS_ECDHE_ECDSA_WITH_AES_256_CCM:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_DSS_WITH_AES_128_CBC_SHA256:TLS_DHE_DSS_WITH_AES_256_CBC_SHA256:TLS_DHE_DSS_WITH_AES_128_GCM_SHA256:TLS_DHE_DSS_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_CBC_SHA256:TLS_DHE_RSA_WITH_AES_256_CBC_SHA256:TLS_DHE_RSA_WITH_AES_128_GCM_SHA256:TLS_DHE_RSA_WITH_AES_256_GCM_SHA384:TLS_DHE_RSA_WITH_AES_128_CCM:TLS_DHE_RSA_WITH_AES_256_CCM"
           honorCipherOrder="true" />

• save the file and restart tomcat

V. Test it!

openssl s_client -showcerts -host localhost -port 8443
or open in browser:
https://localhost:8443

Thanks for the details @andreas. I will try and tackle this at another time using your post. I spent 3 days trying to get it to work and while I did make some progress, I could not get tomcat to read the certificate I built using keytool and following the tomcat 9 SSL installation instructions: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html. I kept getting an error about unrecognizable tokens when processing my requests.