Generating and Deploying Certificates for https

You are here:
< All Topics


Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet.

The principal motivations for HTTPS are authentication of the accessed website, and protection of the privacy and integrity of the exchanged data while in transit. It protects against man-in-the-middle attacks, and the bidirectional encryption of communications between a client and server protects the communications against eavesdropping and tampering. In practice, this provides a reasonable assurance that one is communicating with the intended website without interference from attackers. Ref – wikipedia

This document explains how to import new certificates on Tomcat servers. The only existing difference between certificate renewal and new certificate installation on Tomcat is that when renewing, there is no need to create a new Keystore (as it already exists) and a command needs to be ran to have the old certificates deleted. When installing certificates for the first time, a Keystore needs to be created from scratch.

Create a keystore

Step one in certificate generation is using keytool to create a keystore with a matching private key (at least 2048 bit) on server. SSL certificates are stored in keystores. The command below can be used in command prompt –

keytool -alias keystorealias -genkey -keyalg RSA -keysize 2048 -keystore KEYSTORE.jks -storepass “password”
For example – keytool -alias ankproactive -genkey -keyalg RSA -keysize 2048 -keystore E:\CSR\ankproactive.jks -storepass “Anakage!@#123”

keystorealias – is the name you can use to reference to your keystore
KEYSTORE.jks – is the file (keystore) where all information will be stored
Among other information, the tool will ask you for “First and Last Name” and password to the private key. Provide website’s FQDN as “First and Last name”, for eg: In the password field just press enter to use the same password as the one for the keystore.

Create Certificate Signing Request

When keystore is ready you need to create a certificate signing request through the command below:

keytool -certreq -alias keystorealias -keystore KEYSTORE.jks -file servername.csr
For example – keytool -certreq -alias ankproactive -keystore E:\CSR\ankproactive.jks -file E:\CSR\

The tool will ask for the password.
The result will be a file with the following naming format: servername.csr

Request the new certificate

The .csr file is to be shared for certificate generation to relevant team. The team will generate the SSL certificate and send the certificate.

Install the certificate

On Tomcat servers, root, intermediate and server certificates need to be installed individually.

1 – Download and place the certificates in E:\CSR\ directory on server.

2 – Use the command below to import the root certificate to the servers keystore –
keytool -keystore KEYSTORE.jks -storepass password -import -trustcacerts -alias root -file root.cer.
For example – keytool -keystore E:\CSR\ankproactive.jks -storepass Anakage!@#123 -import -trustcacerts -alias root -file E:\CSR\ TrustedRoot.crt

3 – Use the commands below to import the intermediate certificate –
keytool -keystore KEYSTORE.jks -storepass password -import -trustcacerts -alias intermediate -file intermediate.cer.
For example – keytool -keystore E:\CSR\ankproactive.jks -storepass Anakage!@#123 -import -trustcacerts -alias intermediate -file E:\CSR\ DigiCertCA.crt

4 – When importing the server certificate, use the same alias as the one used to create the keystore –
keytool -keystore KEYSTORE.jks -storepass password -import -trustcacerts -alias keystorealias -file server_certificate.cer
For example – keytool -keystore E:\CSR\ankproactive.jks -storepass Anakage!@#123 -import -trustcacerts -alias ankproactive -file E:\CSR\www_google_com.cer

5 – If the old certificate needs to be deleted, please run the command below:
keytool -keystore KEYSTORE.jks -storepass password -delete -alias certificatealias

Configure the server

The certificates are now installed. Last thing to do is to configure the server.xml config file.

1 – Copy your keystore file (your_domain.key) to the secure directory on the server

2 – Open the file Tomcat_Home_Directory/conf/server.xml in a text editor.

3 – Uncomment the SSL Connector Configuration.

4 – Make sure that the Connector Port is 443, which is default for https connections. It should be like below

5 – Specify the correct keystore filename and path to it.

6 – Type the keystore password in your connector configuration – keypass=”password”

7 – Save the changes to server.xml.

8 – Restart Tomcat.

The server is now ready to work with connections secured by SSL.

Note – Tomcat Keystore contains the private key for the website. Losing it will require the certificate to be revoked by the CA.

Next Troubleshooting Deployment issues
Table of Contents