In this tutorial, you will learn how to install an SSL certificate on Apache Tomcat using the Java keytool utility, then configure the HTTPS connector in server.xml. If you haven’t generated your CSR yet, the first section shows you how.
We also recorded a video that walks you through the entire process. You can watch the video, read the instructions, or do both. You can watch the video below.
Generate a CSR code for Tomcat
CSR stands for Certificate Signing Request, a block of text containing current details about your domain and organization. Every buyer of a commercial SSL certificate must submit a CSR to the Certificate Authority (the SSL provider) to pass validation and receive the certificate. If the CSR contains incorrect details, the CA will not sign it.
On Tomcat, the CSR is created with keytool from a Java keystore, and that same keystore holds the private key you will reuse during installation. You have two options:
- Use our CSR Generator to create the CSR automatically.
- Follow our step-by-step tutorial on how to generate a CSR on Tomcat.
Important: keep track of the keystore file and the alias you used when generating the CSR. You will import your signed certificate back into that exact alias later, because that is where the matching private key lives.
After the Certificate Authority validates your request and sends you the SSL files, continue with the installation below.
Install an SSL certificate in Tomcat
A Tomcat installation has two stages: first you import the certificate chain and your signed certificate into the keystore that already contains your private key, then you configure the HTTPS connector in server.xml to use that keystore.
Step 1: Prepare your SSL certificate files
Your Certificate Authority emails the files to the address you provided, usually as a ZIP archive. Extract it. Depending on the CA, the files arrive in one of two formats:
- PKCS#7: a single .p7b (or .cer) file that already bundles your certificate together with the root and intermediate certificates.
- PEM: separate files, typically a .crt for your server certificate plus individual root.crt and intermediate.crt files.
Upload the extracted files to the server, into the same directory as the keystore you generated your CSR from (referred to below as example.jks). Identify your format and follow the matching instructions.
Step 2: Import the certificate into your keystore
PKCS#7 format. Because a .p7b already contains the full chain, a single command imports everything at once, into your existing private-key alias:
keytool -import -trustcacerts -alias ssldragon -keystore example.jks -file example.p7b
Replace ssldragon with your own alias and example with your file names. The alias must be the one that already holds your private key (the alias from the CSR step). When you see the message Certificate reply was installed in keystore, the import succeeded. Verify the contents of the keystore with:
keytool -list -v -keystore example.jks
Look for an entry whose type is PrivateKeyEntry with a certificate chain length greater than 1. That confirms the signed certificate is now attached to your private key.
PEM format. Import the certificates separately, in chain order: the root first, then any intermediates, and your domain certificate last. Importing the chain first lets keytool build a complete trust path before it attaches the reply to your key. Import the root certificate:
keytool -import -trustcacerts -alias root -keystore example.jks -file root.crt
Then import the intermediate certificate:
keytool -import -trustcacerts -alias intermediate -keystore example.jks -file intermediate.crt
If your CA supplies several intermediate certificates, import each one under its own trusted alias, following the order in which they sign each other (from the root down toward your domain certificate). For example, a Sectigo Sectigo PositiveSSL certificate ships with more than one intermediate, so import them in sequence before the domain certificate.
Finally, import your primary certificate (the one issued for your domain) into the existing private-key alias, the same alias you used when generating the CSR:
keytool -import -trustcacerts -alias ssldragon -keystore example.jks -file example.crt
Here, ssldragon must be your existing private-key alias. Because that alias already has a key, keytool treats this import as a certificate reply and binds the signed certificate to the key. This is the step that makes HTTPS work.
Critical pitfall: do not import the signed certificate under a brand-new alias. If the alias has no existing private key, keytool stores the certificate as a standalone trusted entry with no key attached, and TLS will fail. If you are unsure which alias holds your key, run keytool -list -v -keystore example.jks and use the alias whose type is PrivateKeyEntry.
Step 3: Configure the HTTPS connector in server.xml
With the certificate in your keystore, point Tomcat’s HTTPS connector at it. The connector is defined in server.xml, located in the conf folder of your Tomcat installation (for example $CATALINA_HOME/conf/server.xml). Open the file in a text editor.
On current Tomcat versions (9, 10, and 11), the recommended form nests an SSLHostConfig element, which in turn holds a Certificate element that references your keystore. Add or update the secure connector to look like this:
<Connector
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true">
<SSLHostConfig>
<Certificate
certificateKeystoreFile="/your_path/example.jks"
certificateKeystorePassword="your_keystore_password"
certificateKeystoreType="JKS"
certificateKeyAlias="ssldragon"
type="RSA" />
</SSLHostConfig>
</Connector>
- certificateKeystoreFile: the full path to your keystore file.
- certificateKeystorePassword: the keystore password.
- certificateKeystoreType: JKS for a .jks keystore, or PKCS12 for a .p12 / .pfx keystore.
- certificateKeyAlias: the alias that holds your private key and signed certificate (here, ssldragon). This tells Tomcat which entry to serve when the keystore contains more than one.
Note: port 443 is the standard HTTPS port used above; Tomcat’s own examples default to 8443, so use whichever your environment expects. If this is your first HTTPS setup, the secure connector may be commented out in server.xml. Remove the surrounding comment markers so the connector is active, and make sure no other connector is already bound to the same port.
Legacy form (older Tomcat). Older guides place the keystore details directly on the connector as keystoreFile and keystorePass attributes. That style is superseded by the SSLHostConfig and Certificate elements shown above, which is the form to use on supported Tomcat releases.
Step 4: Save server.xml and restart Tomcat
Save server.xml, then restart Tomcat so it reloads the configuration. On Linux, use the bundled scripts:
$CATALINA_HOME/bin/shutdown.sh
$CATALINA_HOME/bin/startup.sh
If Tomcat runs as a service, restart it through your service manager instead (for example systemctl restart tomcat on Linux, or the Services panel on Windows). Congratulations, your SSL certificate is now installed on your Tomcat server.
Test your Tomcat SSL installation
After installing the certificate, small errors can slip in without notice and affect how browsers treat your site. Make a habit of checking the installation. Run our SSL Checker for an instant scan that reveals issues such as a missing intermediate certificate or an untrusted chain.
Frequently Asked Questions
The usual cause is importing the signed certificate under a new alias instead of the alias that already holds your private key. keytool then stores it as a trusted certificate entry with no key, so Tomcat cannot complete a TLS handshake. Re-import the signed reply into the existing private-key alias (the one from your CSR). Confirm it worked by running keytool -list -v -keystore example.jks and checking that the alias shows as a PrivateKeyEntry with a chain longer than one certificate.
Import the chain first. Add the root and any intermediate certificates as trusted entries, in order, then import your domain certificate into the private-key alias last. This lets keytool build a complete trust path before it attaches the reply to your key. With a PKCS#7 (.p7b) file the chain is already bundled, so a single import handles everything.
The HTTPS connector is defined in server.xml, in the conf directory of your Tomcat installation (for example $CATALINA_HOME/conf/server.xml). On current Tomcat versions, the keystore is referenced through a nested SSLHostConfig and Certificate element rather than directly on the connector.
Yes. Tomcat supports both. Set certificateKeystoreType to PKCS12 for a .p12 or .pfx keystore, or JKS for a .jks keystore, and point certificateKeystoreFile at the matching file. PKCS12 is the standard, portable keystore format, so it is a good default for new keystores.
Tomcat’s sample configuration uses port 8443 for the secure connector. To serve HTTPS on the standard port that browsers use by default, set the connector port to 443 and make sure no other connector or service is already using it.
Run the bundled scripts $CATALINA_HOME/bin/shutdown.sh followed by $CATALINA_HOME/bin/startup.sh, or restart the Tomcat service through your service manager (for example systemctl restart tomcat on Linux, or the Services panel on Windows). A restart is required for changes to server.xml to take effect.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


