This quick guide walks you through the crucial aspects of a proper Tomcat SSL installation. First, you will learn how to generate a CSR code for you Tomcat server. Second, you will master how to install an SSL Certificate in Tomcat. Finally, you will discover a bit of Tomcat history, and the best place to buy an SSL certificate for your Tomcat server.

Generate a CSR code for Tomcat
Install an SSL Certificate in Tomcat
Test your Tomcat SSL installation
Tomcat server history and versions
Where to buy the best SSL Certificate for Tomcat?

Generate a CSR code for Tomcat

CSR stands for Certificate Signing Request, a block of text containing current details about your domain ownership and company. All buyers of commercial SSL certificates must submit the CSR to their Certificate Authority to pass the SSL validation and obtain the certificate.

We’ll use the keytool commands to generate your private key and the CSR code. Please, follow the steps below:

  1. Your first step is to create a keystore for your private key. To do it, launch a command line interface and run the following command:
    keytool -genkey -keysize 2048 -keyalg RSA -alias ssldragon -keystore example.jks

    Note: Don’t forget to replace “example” with the primary domain name you want to secure. You may use any custom alias. For this demonstration, we’ve used ssldragon.

  2. Create a password for the kyestore. Remember this password, or write it down. You’ll need it soon
  3. Next, you need to answer the following questions:
    • What is your first and last name? – instead of writing your initials, please specify the Fully Qualified Domain Name (FQDN) you want to protect with an SSL Certificate (e.g. If you have a Wildcard certificate, add an asterisk in front of the domain (e.g., *
    • What is the name of your organizational unit? – For Business and Extended Validation Certificates, enter the department in charge of web security (e.g., IT or Web Administration). For Domain Validation Certificates, enter NA instead
    • What is the name of your organization – type the officially registered name of your company. Use only alphanumerical characters (e.g., GPI Holding LLC)
    • What is the name of your City or Locality? – submit the full name of your city, town or locality. (e.g., San Jose)
    • What is the name of your State or Province? – provide the full name of the state or region where your business is registered (e.g., California)
    • What is the two-letter country code for this unit? – Here you can find the full list of country codes. Make sure the country you specify is the legal residence of your organization (e.g., US)
  4. The command will ask you to confirm your information. Is, OU=IT, O=GPI Holding LLC, L=San Jose, ST=California, C=US correct? Double-check your answers, and type y or yes to continue
  5. After you’ve generated the keystore with the private key, run the following command to create the CSR code:
    keytool -certreq -keyalg RSA -alias ssldragon -file example.csr -keystore example.jks
  6. Replace ssldragon and example.jks with your corresponding details
  7. Enter the keystore password (you created it in step 2)
  8. Your CSR code is ready. It resides in the example.csr file. You can open it with any text editor of your choice and copy-paste the whole content during your buying order. To ensure you don’t miss a line, use the ctrl+a hot key to select the entire text.

After the Certificate Authority validates your request and sends you the SSL files, proceed to the SSL installation.

Install an SSL Certificate in Tomcat

Prepare your SSL certificate files. Depending on your Certificate Authority, your SSL files may be in PKCS#7 format (.p7b or .cer extensions) or PEM format (.crt extension). Determine your files’ format and follow the instructions below:

PKCS#7 format

As it already contains the required root and intermediate certificates, all you have to do is run the following command to add it into the keystore:

keytool -import -trustcacerts -alias ssldragon -keystore example.jks -file example.p7b

Note: Replace ssldragon and example with your alias and file names.

If you see the message “Certificate reply was installed in keystore”, you’ve successfully imported the certificate. You can use the following command to check the details of your certificate: keytool -list -keystore example.jks –v.

PEM format

You have to import all the necessary certificate files separately in the correct order. Run the commands below for each certificate type:

  • Root Certificatekeytool -import -alias root -keystore example.jks -trustcacerts -file root.crt
  • Intermediate Certificate keytool -import -alias intermediate -keystore example.jks -trustcacerts -file intermediate.crt
    If your certificate includes several intermediate certificates, you should import all of them in the keystore. Please, follow the correct sequences. For example, for Sectigo PositiveSSL Certificate you should import:

    1. The certificate signed by the root (e.g. crt)
    2. The intermediate certificate (e.g. crt)
    3. The intermediate certificate that signs the certificate issued for your domain (e.g. crt)
  • Primary Certificate (the one issued for your domain) keytool -import -alias ssldragon -keystore example.jks -file example.crt

Note: Replace the alias with the your own one.

After the import, your next step is to edit the Tomcat configuration file. By default, it’s called server.xml and resides in the Home_Directory/conf folder.

  1. Locate the configuration file
  2. You should see a few lines of code similar to the example below:
    <Connector port="443" protocol="HTTP/1.1"
    scheme="https" secure="true" clientAuth="false"
    sslProtocol="TLS" keystoreFile="/your_path/yourkeystore.jks"
    keystorePass="password_for_your_key_store" />
  3. Please change the parts in bold. For keystoreFile parameter, specify the directory of your keystoreFile. For keystorePass attribute, enter your keystore password.

    Note: If this is your first Tomcat configuration, the keystoreFile and kyestorePass lines may be missing. You will have to manually add them. Also, you will need to uncomment the connector by removing the comment tags (<!– and –>).

  4. Save your .xml file and restart your Tomcat server
  5. Congratulations! You’ve successfully installed an SSL certificate on Tomcat.

Test your Tomcat SSL installation

After you install an SSL certificate in Tomcat, several unnoticed errors may creep in and affect the performance of your certificate. Make a habit of checking your SSL installation regularly. Use one of these high-end SSL tools to get instant scans and reports.

Tomcat server history and versions

Tomcat Server, officially known as Apache Tomcat, is an open-source Java servlet container developed by the Apache Software Foundation (ASF). The original author of Tomcat is James Duncan Davidson, an American photographer, and developer. According to Apache’s wiki page, Davidson picked the “Tomcat” name because it represents an animal that could take care of itself and fend for itself.

Listed below are all the major versions of Tomcat:

  • 2.0 – the initial Tomcat release in 1998
  • 4.1 – first apache release with Catalina (a servlet container), Coyote (an HTTP connector) and Jasper (a JSP engine)
  • 7-0 – released in 2011, it is the older version still supported
  • 8.5 – released in 2016, it is one of the 3 versions still receiving updates
  • 9.0 – released in 2018, it is the latest Tomcat version, at the time of writing this article.

Where to buy the best SSL Certificate for Tomcat?

SSL Dragon is your one-stop place for all your SSL needs. We’re partners with the best Certificate Authorities on the market, and offer the most competitive prices across the entire range of our SSL products. All our certificates are compatible with the Tomcat server. Whether you want to secure a blog or a network of e-commerce sites, we’ve got you covered. Below are the types of SSL certificates available at SSL Dragon:

You can find the perfect SSL Certificate for your project and budget with the help of our handy SSL Wizard and Certificate Filter. The first tool offers a quick and highly accurate.

If you find any inaccuracies, or you have details to add to these SSL installation instructions, please feel free to send us your feedback at [email protected]. Your input would be greatly appreciated! Thank you.