My Tomcat needs to connect to another web server (at https://foreign.example.com) using SSL (TLS).

foreign.example.com has a self-signed certificate, which I trust. Of course, my Tomcat does not by default - so I have to tell it. One way to do this is:

$JRE/bin/keytool -import -alias my -file ssl-cert-myselfsigned.cer -keystore 
 $JRE/lib/security/cacerts

This works: My Tomcat allows the SSL connection.

However, I don't like to do it this way: It imports the certificate into the trusted keys of my Java installation. I don't want to say: "Every application that runs Java on my machine should trust that certificate". Only Tomcat (or the user that runs Tomcat) should trust it.

So I tried importing it into the tomcat-user's keystore at ~/.keystore, and setting up Tomcat's <Connector> with these attributes:

keystoreFile="${user.home}/.keystore"
keystorePass="thePassphraseICreatedTheKeystoreWith"

However, that doesn't work at all (I believe, this is only for the server certificate of my Tomcat, not for server certificates of foreign servers, right?)

I tried the same with the truststoreFile/truststorePass attributes, but they didn't work either. (The attributes are documented at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)

Is there a way to set up Tomcat with the foreign server's server cert, or maybe to add some command line parameters to java which makes my keystore (and keystore passphrase) available to the JVM instance?

JBoss (which is based on Tomcat) can be run with the following cmd arguments. The cacerts file (or however you would like to name it) must contain the cert of the endpoint.

-Djavax.net.ssl.trustStore=C:\Applications\jboss-as\server\default\conf\cacerts -Djavax.net.ssl.trustStorePassword=changeit

Therefor this should also work for Tomcat.

An alternative approach is to add it to the SSL connector in tomcat in your tomcat server.xml file. Specifically you need to set the truststoreFile properties to enable trust of certificates from other servers.

        <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" keystorePass="changeit"
               truststoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" truststorePass="changeit"/>