Using SSL and Tomcat with xsbt-web-plugin

November 12, 2016

In getting started with xsbt-web-plugin, we walked through building a basic Scala Web application using sbt and xsbt-web-plugin.

Let's see how we can enable SSL to serve our project over HTTPS directly from sbt.

Creating a certificate

We'll create a basic self-signed certificate, KeyStore, and TrustStore by following the steps in this tutorial. By convention, passwords throughout will be the not-so-secure phrase changeit.

$ keytool -genkey -alias server-alias -keyalg RSA -keypass changeit \
          -storepass changeit -keystore keystore.jks
What is your first and last name?
What is the name of your organizational unit?
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes
$ keytool -export -alias server-alias -storepass changeit \
          -file server.cer -keystore keystore.jks
Certificate stored in file <server.cer>
$ keytool -import -v -trustcacerts -alias server-alias \
          -file server.cer -keystore cacerts.jks -keypass changeit \
          -storepass changeit
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Storing cacerts.jks]

Configuring xsbt-web-plugin

We'll be using Tomcat, so let's enable it:


The Tomcat plugin uses webapp-runner, which allows us to enable SSL via --enable-ssl:

containerArgs := Seq(

We'll use a recent version of webapp-runner to make sure it has this feature:

containerLibs in Tomcat := Seq(
  "com.github.jsimone" % "webapp-runner" % "" intransitive()

To enable SSL, we need to point the JVM toward our KeyStore, TrustStore, and proivde the corresponding passwords:

javaOptions in Tomcat ++= Seq(

By default, xsbt-web-plugin binds our project to port 8080, but let's use something more HTTPS-ish instead:

containerPort := 8443

Now we can run our project from sbt with tomcat:start, and view it at https://localhost:8443/. Since we used a self-signed certificate, we may need to reassure our Web browser that it's safe to proceed.