SSL Certificate for Web Application

Im looking to use an SSL certificate for my web application. Can anyone give pointers as to how i include this in the web application? v开发者_JAVA百科ia the web.xml file? I have found lots of examples for IIS but i will be using tomcat and apache.

I guess the process includes purchasing a certificate and then assocating the web app with the certificate? Is that correct?

I guess the process includes purchasing a certificate and

You do not have to buy anything. You can use java's keytool, OpenSSL or Bouncy Castle to create a self-signed certificate. But for this to work you must configure your web clients to use a custom truststore or import the certificate in java's default truststore

assocating the web app with the certificate

No. It is the server that is authenticated and sends the certificate and not the web application.

will be using tomcat and apache. 

You have to go to server.xml and uncomment the connector for SSL.
There you must define the keystore and the password. If you want mutual authentication the truststore as well. E.g.

<Connector protocol="org.apache.coyote.http11.Http11Protocol" clientAuth="false"
           port="8443" keystoreFile="/conf/serverKeys.p12"
   keystoreType="PKCS12" keystorePass="123456" etc

/>

You can check Tomcat's guide: Tomcat SSL how-to

You can create a self-signed certificate. Short version: the configuration goes in conf/sever.xml, and looks something like this:

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

For details, see source Q&A.