If your Java web application runs on a hosted Tomcat instance, adding SSL is the step that turns your public URL from http:// to https://. That means encrypted traffic, browser trust, and a safer login and checkout experience for visitors. On a managed hosting platform with Plesk and a Java/Tomcat service such as My App Server, SSL can usually be enabled without changing your application code, as long as the certificate is installed and Tomcat is configured to use it correctly.
This guide explains how to add SSL to a hosted Tomcat website, what to check before you start, and how to make sure your application loads securely after the certificate is in place. The exact menu names may vary slightly by platform, but the process is the same: get a certificate, install it for the domain, connect Tomcat to it, and force HTTPS for public traffic.
What SSL does for a hosted Tomcat application
SSL is the older term people still use for what is now technically called TLS. In practice, the result is the same: your Tomcat site uses HTTPS so data is encrypted between the browser and your server. For Java hosting, this matters especially when your app handles sign-in forms, personal data, API calls, session cookies, or any public-facing pages that should not be sent in plain text.
In a hosted Tomcat setup, SSL is usually attached to the domain name, not to the application itself. Your Tomcat instance then serves the site through that secured domain. If your hosting platform uses a control panel, you may also see options for certificate installation, domain assignment, and service management in the same place where you manage your Java app.
Before you start
Check these basics first to avoid certificate errors or broken redirects later:
- Your domain points to the hosting account and resolves correctly in DNS.
- Tomcat is already deployed and responding on the expected host name.
- You know which domain should be secured, including any www or non-www variant.
- You have access to the control panel and the hosting service that runs your Tomcat application.
- The application works over HTTP first, so you can confirm that any HTTPS issue is certificate-related and not an app issue.
If you are using a platform like My App Server, it is also useful to know whether your Tomcat version and Java version were installed through a ready-made button or configured manually. The SSL steps are similar, but manual installs may need an extra check in the Tomcat connector settings.
Ways to add SSL to a hosted Tomcat site
There are three common approaches, depending on the platform and how your Tomcat service is configured:
1. Use a certificate installed in the control panel
This is the easiest option on managed hosting. You install or request an SSL certificate for the domain in the hosting control panel, then assign it to the website. If your Java application is published through the same domain, Tomcat can use that certificate through the hosting stack or reverse proxy layer.
2. Use a Let’s Encrypt certificate
Many hosting platforms offer free Let’s Encrypt SSL. This is a good fit for hosted Tomcat websites because it is quick to issue, renews automatically on many platforms, and works well for standard public websites and applications.
3. Configure Tomcat directly with its own keystore
If your Tomcat instance terminates SSL itself, you may need to install a certificate into a Java keystore and configure the SSL connector in Tomcat. This is more manual, but sometimes needed for custom app server setups or non-standard deployments.
For most managed hosting customers, the first or second method is preferred. Direct Tomcat SSL setup is usually only needed when the application stack is customized or when the platform explicitly expects Tomcat to handle TLS.
Step 1: Issue or obtain an SSL certificate
Start by securing the exact hostname that users will visit. In most cases that means:
- example.com
- www.example.com
- any other public subdomain such as app.example.com
If your application is reached through a dedicated subdomain, secure that subdomain specifically. If both www and non-www versions are used, include both names in the certificate or set one as the canonical version and redirect the other to it.
On a hosting platform with a control panel, you can usually request the certificate from the domain’s SSL section. If the platform supports Let’s Encrypt, select the domain and request issuance. If you use a commercial certificate, you will need the certificate file, the private key, and sometimes an intermediate or CA bundle.
Step 2: Install the certificate for the domain
Once the certificate is available, install it on the domain that serves your Tomcat application. In a typical control panel workflow, this means selecting the domain and adding the certificate material to the site’s SSL/TLS settings.
Make sure the certificate matches the hostname exactly. A common reason for browser warnings is installing a certificate for one name while visitors access another. For example, if the app is accessed through app.example.com, a certificate for only example.com will not be enough unless the app is also accessible on that domain.
If your hosting stack uses Apache or a reverse proxy in front of Tomcat, SSL may terminate at the web server layer. In that case, the certificate is installed on the website endpoint, and Tomcat receives requests internally over the configured backend connection.
Step 3: Connect Tomcat to HTTPS traffic
How this works depends on your hosting setup:
If SSL is terminated by Apache or the hosting layer
Tomcat may not need its own SSL connector. The public HTTPS connection ends at the front-end web server, and requests are forwarded to your Java app. In this model, the most important task is to make sure the domain is secured in the control panel and that the website routes to the correct Tomcat service.
This is often the simplest approach on managed hosting because the platform handles the certificate and the backend connection for you.
If Tomcat terminates SSL directly
You will need to configure Tomcat’s HTTPS connector and point it to a valid certificate or keystore. The usual steps are:
- Convert or prepare the certificate in the format required by Tomcat, typically a keystore.
- Place the keystore in the location expected by the Tomcat service.
- Edit the Tomcat connector configuration to enable HTTPS on the correct port.
- Restart the Tomcat service through the hosting control panel or service control interface.
On a managed Java hosting platform, you may see service controls for start, stop, restart, and status. If the certificate was installed correctly, restarting the service is often enough for the new HTTPS settings to take effect.
Step 4: Update your application URLs
After HTTPS is available, update the places where your app still references HTTP. This is important for avoiding mixed content warnings and redirect loops.
- Change hardcoded links from http:// to https://.
- Update canonical URLs if your app generates them.
- Review login, callback, and payment endpoints.
- Check any external service webhooks or OAuth redirect URLs.
If you use a framework or servlet configuration that builds absolute URLs from the request, it may already respect HTTPS once the request reaches the app securely. Still, it is best to verify this after the certificate is installed.
Step 5: Force HTTPS for all visitors
Installing a certificate does not automatically redirect users from HTTP to HTTPS. To make sure all traffic uses the secure version, add a redirect rule at the web server or application level.
On hosted Tomcat platforms, the preferred location for the redirect is often the front-end web server or control panel rules rather than inside the application itself. That keeps the redirect simple and avoids duplicate logic across deployments.
Use a permanent redirect so browsers and search engines understand that HTTPS is the standard version of the site. Also make sure only one canonical host is used. For example, redirect:
- http://example.com to https://example.com
- http://www.example.com to https://example.com or your chosen canonical host
If your platform allows it, enable HSTS only after you are sure HTTPS works correctly on all required pages. HSTS is useful, but it should be applied carefully because it tells browsers to always use HTTPS for a period of time.
Step 6: Test the installation
After installation and redirect setup, test the site in a browser and with a few direct checks:
- Open the HTTPS version of the site and confirm the browser shows a valid secure connection.
- Visit the HTTP version and confirm it redirects to HTTPS.
- Check that the certificate name matches the domain in the address bar.
- Review browser developer tools for mixed content warnings.
- Test login, forms, downloads, and any session-based pages.
If the site uses a Java app with a private JVM, also restart the service if the control panel documentation says SSL changes require it. In many cases, a service restart is the cleanest way to reload certificate settings and backend configuration.
Common problems and how to fix them
The browser shows a certificate name mismatch
This usually means the certificate was issued for a different hostname than the one users are visiting. Re-check whether the site uses the root domain, www, or a subdomain such as app. Install a certificate that covers the exact public address.
HTTPS loads, but some content is still insecure
This is mixed content. Something on the page is still being loaded over HTTP, such as an image, script, font, or stylesheet. Update those resource URLs to HTTPS or use relative URLs where appropriate.
The site redirects in a loop
This often happens when both Tomcat and the front-end web server are trying to force HTTPS, or when the application does not recognize that the original request was already secure. Check redirect rules and proxy headers carefully.
The application works on HTTP but not on HTTPS
In direct Tomcat SSL setups, the connector may be misconfigured or the keystore path may be wrong. In reverse-proxy setups, the issue may be that the frontend SSL is correct but Tomcat is not receiving the expected forwarded protocol information.
The certificate renewed, but the site still shows the old one
This can happen if the hosting service was not reloaded after renewal, or if a cached certificate is still being served by an old process. Restart the relevant service and verify that the correct domain is assigned to the current certificate.
Best practices for Tomcat SSL on hosted platforms
- Use one canonical HTTPS hostname and redirect all alternatives to it.
- Keep the certificate valid and watch renewal dates closely.
- Test after every domain, DNS, or service change.
- Use the hosting control panel to manage SSL when possible, instead of editing files manually.
- Restart the Tomcat service after changes if the platform recommends it.
- Check that the Java app generates secure session cookies and HTTPS URLs.
- Keep the Tomcat and Java versions compatible with your hosting service.
On a managed Java hosting service like My App Server, the practical advantage is that you can keep control of the application while using the panel to manage the service, Java version, and domain-level settings. That makes SSL deployment much simpler for small and medium Java applications than maintaining a fully custom server stack.
When to use direct Tomcat SSL and when not to
Direct Tomcat SSL is useful when your deployment needs the application server itself to present the certificate. This may be relevant for custom testing environments, special port setups, or manual Java hosting configurations.
However, for most hosted websites, it is cleaner to terminate SSL at the hosting layer or Apache front end and let Tomcat serve the app behind it. This reduces configuration overhead and keeps certificate management in the control panel where it is easier to maintain.
If you are not sure which model your hosting account uses, check the service information and control options for your Java application. In a platform like My App Server, the service status and control area can help you confirm whether the app is running behind Apache or whether Tomcat is expected to handle TLS directly.
FAQ
Do I need to change my Java application code to use SSL?
Usually no. In most hosted Tomcat setups, SSL is configured at the domain, web server, or Tomcat connector level. You may only need to update hardcoded URLs or application settings that still point to HTTP.
Can I use Let’s Encrypt with hosted Tomcat?
Yes, if your hosting platform supports it. It is one of the most common ways to add SSL to a hosted Tomcat website because it is fast and suitable for public-facing applications.
Should I install SSL in Apache or in Tomcat?
It depends on your platform. For many managed hosting accounts, Apache or the control panel handles SSL, and Tomcat serves the application behind it. If your service is configured for direct Tomcat SSL, then Tomcat needs its own certificate configuration.
Why does my site still open on HTTP after installing SSL?
Because SSL installation alone does not force redirects. You need an HTTP to HTTPS redirect rule or a canonical domain setup so visitors are sent to the secure version automatically.
Can I secure multiple domains or subdomains on one hosted Tomcat account?
Yes, if your hosting plan and certificate support it. You may need a multi-domain or wildcard certificate, depending on the names you want to secure.
What if my Tomcat app uses a private JVM?
That is fine. SSL still works the same at the domain or connector level. The main point is to make sure the correct service is restarted and the right certificate is assigned to the public hostname.
Conclusion
Adding SSL to a hosted Tomcat website is mostly about connecting three parts correctly: the domain, the certificate, and the service that delivers the Java application. On a managed hosting platform with Plesk and a Java service like My App Server, this is usually a straightforward process when you follow the right order: issue the certificate, install it for the domain, confirm how Tomcat receives HTTPS traffic, and redirect all visitors to the secure URL.
Once the setup is complete, test carefully for certificate validity, redirects, and mixed content. That gives your Tomcat site a secure public endpoint and helps keep logins, forms, and application data protected in transit.