GoWebsite.com provides Domain Registration
Website Hosting, On-Line Shopping Carts, SEO
Blog Hosting, Email Accounts, Security Certificates,
Merchant Accounts & other Website Products.
Free setup! Speak with us anytime: 480-624-2500

Generating a CSR and Installing an SSL Certificate in Tomcat 4.x/5.x/6.x/7.x

When you request an SSL certificate, you must provide a Certificate Signing Request (CSR) from your server. The CSR includes your public key, and must contain the same details as the online request form in your account. After your request is vetted and your certificate is issued, download and install all of the provided files to complete the installation.

NOTE: These steps describe how to install a certificate using keytool, so you must have Java 2 SDK 1.2 or above installed on your server.

Generating a Keystore and CSR in Tomcat

Using Keytool, follow these steps to generate a keystore and CSR on your server.

To Generate a Keystore and CSR in Tomcat

  1. Enter the following command into keytool to create a keystore:
    keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA -keystore tomcat.keystore
  2. Enter a Password. The default is changeit.
  3. Enter Distinguished Information:
    • First and Last Name — The fully-qualified domain name, or URL, you're securing. If you are requesting a Wildcard certificate, add an asterisk (*) to the left of the common name where you want the wildcard, for example *.coolexample.com.
    • Organizational UnitOptional. If applicable, you can enter the DBA name in this field.
    • Organization — The full legal name of your organization. The listed organization must be the legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor's name in Organization, and the DBA (doing business as) name in Organizational Unit.
    • City/Locality — Name of the city in which your organization is registered/located — do not abbreviate.
    • State/Province — Name of state or province where your organization is located — do not abbreviate.
    • Country Code — The two-letter International Organization for Standardization (ISO) format country code for where your organization is legally registered.
  4. Enter the following command into keytool to create a CSR:
    keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
  5. Enter the Password you provided in Step 2.
  6. Open the CSR file, and copy all of the text, including
    ----BEGIN NEW CERTIFICATE REQUEST----

    and

    ----END CERTIFICATE REQUEST----
  7. Paste all of the text into the online request form and complete your application.

For more information about completing the online request form, see Requesting an SSL Certificate.

After you submit the application, we begin vetting your request. You will receive an email with more information when this process is complete.

Installing Your SSL in Tomcat

After the certificate is issued, download it from the Certificate Manager and place it in the same folder as your keystore. Then, using keytool, enter the following commands to install the certificates.

The file names for your root and intermediate certificates depend on your signature algorithm.

  • SHA-1 root certificate: sf_class2_root.crt
  • SHA-2 root certificate: sfroot-g2.crt
  • SHA-1 intermediate certificate: sf.intermediate.crt
  • SHA-2 intermediate certificate: sfig2.crt
  • (Java 7 only) SHA-2 Cross Intermediate Certificate: sfroot-g2_cross.crt

You should not use SSL certificates employing the SHA-1 algorithm (more info).

You can also download certificates from the repository.

To Install Your SSL in Tomcat

  1. Install the root certificate by running the following command:
    keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file <name of the root certificate>
  2. Install the intermediate certificate by running the following command:
    keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file <name of the intermediate certificate>
  3. Install the issued certificate into the keystore by running the following command:
    keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file <name of the certificate>
  4. Update the server.xml file with the correct keystore location in the Tomcat directory.

    NOTE: The HTTPS connector is commented out by default. Remove the comment tags to enable HTTPS.

    • Tomcat 4.x — Update the following elements in server.xml for Tomcat 4.x:
      clientAuth="false"
      protocol="TLS" keystoreFile="/etc/tomcat5/tomcat.keystore"
      keystorePass="changeit" />
    • Tomcat 5.x, 6.x and 7.x — Update the following elements in server.xml for Tomcat 5.x, 6.x and 7.x:
      <-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --> <!-- <Connector port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="<em>path to your keystore file</em>" keystorePass="changeit" clientAuth="false" sslProtocol="TLS"/>
  5. Save your changes to server.xml, and then restart Tomcat to begin using your SSL. Your SSL Certificate is installed. If you have problems, please see Where can I get information about my SSL's configruation? to help diagnose issues.
Domain Registration
Pay less for website domain names. Register your own .com, .net or .org for as low as $10.18 per year. Everything you need to get online - FREE with your domain.		 Website Builder
For as little as $3.89 per month you can build your Website online with Website Builder using our easy to use professional templates.
Play Video - Demo		 Quick Shopping Cart
Build and run your own successful online store in minutes. You're just five easy steps away!
Shopping Cart works with Google® and eBay®
Play Video		 Website Hosting
Everything needed to give your website the high-performance home it deserves.  Protect transactions and secure your customer's data with
a SSL Certificate