Certificate Installation: Java-based Webservers (e.g. Tomcat) using keytool Print

  • 11

Certificate Installation: Java-based Webservers (e.g. Tomcat) using keytool

Installing a Certificate Signing Request (CSR) with a Java-based Webserver such as Tomcat, using keytool

You will need a Dedicated IP for the SSL domain. You cannot install the SSL on to a IP where are more then one domains!

You will have received your certificate from us, a file typically named 'your_domain_com.crt' as well as the Ca Bundle [or download the Ca Bundle]

You need to copy these files to your server, and then move to the directory where the keystore that was used to generate

the CSR is located. Then execute the commands below to install the certificates.

  1. Firstly, import the Ca Bundle Certificate with the following command:

    keytool -import -trustcacerts -alias root -file Ca Bundle -keystore my_keystore.jks

    Replace the file 'my_keystore.jks' with the filename and path you wish to locate the keystore. Do this in all the commands below as well.

  2. Finally, import the site certificate (the file with your domain in the filename), with the following command:

    keytool -import -trustcacerts -alias server -file your_domain_com.crt -keystore my_keystore.jks

    The 'server' alias should be the same alias name as you used when creating the CSR. For Tomcat servers, this should be 'tomcat'.

  3. The certificates are all installed in the keystore, and you can configure your software to use that keystore.
    To do this with Apache Tomcat, you can edit the 'server.xml' file.
    Open the file, and search for a line that looks like the below, replacing the parts hightlighted to match your keystore (port, keystoreFile and keypass):

    443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
    enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/my_keystore.jks" keypass="mykeystorepassword"/>

If you do not enter an alias with the '-alias' command flag when generating the CSR, the default alias will be used, 'mykey'. Use this alias at step 3.

For Tomcat, change the '-alias server' to '-alias tomcat'

Was this answer helpful?

« Back