SSL Certificate Installation - Tomcat Server

Procedure:

Create a New Keystore:

• You will be using the keytool command to create and manage your new Keystore file. You may need to add the java /bin/ directory to your PATH before the keytool command is recognized. When you are ready to create your keystore go to the directory where you plan to manage your Keystore and certificates. Enter the following command in command prompt:

           keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore your_site_name.jks

• You will be prompt to choose a password for your keystore. You will then be prompt to enter your Organization information.

• When it asks for first and last name, this is NOT your first and last name, but rather it is your Fully Qualified Domain Name for the site you are securing (example: www.yourdomain.com). If you are ordering a Wildcard Certificate this must begin with the * character. (example: *.yourdomain.com)

• After you have completed the required information, confirm that the information is correct by entering 'y' or 'yes' when prompted. Next, you will be ask for your password to confirm. Make sure to remember the password you choose. Your keystore file named your_site_name.jks is now create in your current working directory.

Generate a CSR from Your New Keystore:

• Next, you will use keytool to create the Certificate Signing Request (CSR) from your Keystore. Enter the following command:

         keytool -certreq -alias server -file csr.txt -keystore your_site_name.jks

• Type the keystore password that you chose earlier and hit Enter.

• Once CSR generated upload it to Certificate Authority and generate SSL certificate.
• Install Certificate on Tomcat Server
• Depending on the certificate format in which you received the certificate from the Certificate Authority, there are different ways of importing the files into the keystore. 

PKCS#:   

• If the certificate you received is in PKCS#7 format (the extension of the certificate file will be .p7b or .cer), it already includes the necessary intermediate and root certificates. Additionally, a certificate with .p7b extension can be download in the user account. Run the following command to import it into the keystore:

         keytool -import -trustcacerts -alias server -keystore example.jks -file example.p7b

• If the certificate was imported successfully, you will see the message 'Certificate reply was installed in keystore'. You can check the details of the certificate that was imported to the keystore with a command:

         keytool -list -keystore example.jks 

PEM: 

• If you received the certificate in the PEM format ( files will be with the .crt extension), you will need to import the root certificate, intermediate certificates and the certificate issued for your domain name to the keystore separately starting from a root certificate and ending with the certificate for your domain name. To import a root certificate, run the following command

        keytool -import -alias root -keystore example.jks -trustcacerts -file root.crt

• To import an intermediate certificate

        keytool -import -alias intermediate -keystore example.jks -trustcacerts -file intermediate.crt

• After the successful import you need to edit Tomcat configuration file. As a rule, it is called server.xml and usually can be found in Home_Directory/conf folder. Please change in configuration file as follow:

        <Connector port="443" protocol="HTTP/1.1"

          SSLEnabled="true"

          scheme="https" secure="true" clientAuth="false"

          sslProtocol="TLS" keystoreFile="/your_path/yourkeystore.jks"

          keystorePass="password_for_your_key_store" />

• Save the changes and restart Tomcat web service.