I have an SSL certificate from GoDaddy that I would like to use with my tomcat installation. Currently it is being used by Apache HTTP server without problems.

The private key is stored in /etc/ssl/private and access is restricted. Apache HTTP server however had no problem serving the correct certificate over SSL.

When I try to point tomcat to the same private key it fails to init the secure protocol because it cannot read the private key. This is the excerpt from my server.xml. I am using APR:

<Connector SSLCertificateFile="/etc/ssl/certs/mysite.crt"
               SSLEnabled="true" maxThreads="150" port="8443"
               protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLSv1" />

This generates an error. The Apache HTTP configuration looks like this and works: SSLCertificateFile /etc/ssl/certs/mysite.crt SSLCertificateKeyFile /etc/ssl/private/mysite.key

The permissions for the /etc/private directory were not changed afaik: drwx--x--- 2 root ssl-cert 4096 2011-05-01 11:50 private Inside: -rw-r--r-- 1 root root 1,7K 2011-04-30 11:00 mysite.key

Now my question is: How can I make tomcat make use of the same file? My temporary solution is to copy the key file to a publicly accessible place but I believe this is dangerous right?


  • This generates an error. - What is the error? Commented Oct 12, 2011 at 17:25
  • 1
    The exact error is: Error initializing endpoint java.lang.Exception: Unable to load certificate key /etc/ssl/private/mysite.key (error:0200100D:system library:fopen:Permission denied)
    – Luksurious
    Commented Oct 12, 2011 at 17:34

1 Answer 1


The ssl-cert group has traverse permissions on private, and everyone has read permissions on the key itself - so, the user that Tomcat is running as is likely not a member of the ssl-cert group.

Add the user to the group to give it read-only access to the cert:

usermod -a -G ssl-cert tomcatusername

And, although you've got the directory permissions locked down, which should cover you, you may want to change the permissions on the certificate itself to match (some services check for world-readable on private keys):

chown root:ssl-cert /etc/ssl/private/mysite.key
chmod 640 /etc/ssl/private/mysite.key
  • Thanks. That fixed it. I was confused, however, since the apache user www-data is not part of this group but was stil able to access the file. Also thanks for the hint on the key permissions!
    – Luksurious
    Commented Oct 12, 2011 at 19:05
  • need chmod 750 /etc/ssl/private/mysite.key
    – tronic
    Commented Aug 3, 2023 at 8:36

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .