Encrypt Tomcat Certificate Password in server.xml

  • 13 February 2023
  • 1 reply

Badge +6

Is there a way to encrypt the certificate password for the certificate used by the Tomcat server in server.xml so that it’s not in clear text. 

1 reply

Userlevel 1
Badge +2

Tomcat does not have a built-in mechanism for encrypting the certificateKeystorePassword or similar fields. Apache chose not to implement one because of a fundamental problem that would make the encryption ineffective.

Tomcat runs as a service, and needs to start without waiting for a human to type a password or otherwise authenticate on its behalf. That means tomcat's account requires access to that password in plaintext to initialize the connector. If you encrypt it, you then need to store the decryption key for the encrypted password in plaintext somewhere where Tomcat's account can access it, and you have the same problem you started with.

Consequently, we depend on file system security to protect that password. Similarly, we depend on file system security to prevent an attacker from just altering our applications, or Tomcat itself.