Generate SSL Certificate for Tomcat 6.X, 7.X, 8.X

There are two ways of configuring tomcat, depending on the connector you are using, in this case we’ll configure tomcat with the default connector which needs a keystore for the certs.

You’ll need to have Java installed.

The steps to generate a CSR for tomcat are as follow:


keytool -keysize 4096 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore

I like to have big keys, but it’s ok to generate a key size of 2048.

This will prompt for a password, set the password and the information needed according to your needs.
NOTE: In the first field put the URL you want the certificate for, if you are gonna ask for a wildcard certificate, put the URL with a * on the beginning.


keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore

This will ask you the password you set on the previous step.
This will generate a csr file, now you have to send the contents of the file to your CA, once they review the information and give you the certs you need to add those certs to your keystore.


keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [root cert]

Most likely your distro already have this cert under /etc/ssl/certs, otherwise, you’ll need to add it to your keystore.


keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [intermediate cert]

This is one if the certs that your CA will give you, along with the cert for your site.


keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [cert file]

After this you are ready to install your SSL Cert to your tomcat server.

This entry was posted in SSL, tomcat. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *