Use the ¶ºÒõ¹Ý Certificate Utility to create a CSR and prepare your certificate for installation on your Tomcat server

These instructions explain how to use the ¶ºÒõ¹Ý® Certificate Utility for Windows and Tomcat service to create your CSR, prepare your SSL/TLS certificate file, and to configure your Tomcat server to use the certificate.

¶ºÒõ¹Ý? Certificate Utility for Windows

For a simpler way to create your Certificate Signing Request (CSR) and install and manage your SSL/TLS certificates, we recommend that you use the ¶ºÒõ¹Ý Certificate Utility. For more information about our utility, see ¶ºÒõ¹Ý® Certificate Utility for Windows.

Use the instructions on this page to create your certificate signing request (CSR) and then to install your SSL Certificate.

Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart the Tomcat service.

For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL Certificates, we recommend that you use the ¶ºÒõ¹Ý® Certificate Utility for Windows. For more information about our utility, see ¶ºÒõ¹Ý® Certificate Utility for Windows.

  1. To create your certificate signing request (CSR), see Tomcat Server: Create Your CSR with the ¶ºÒõ¹Ý Utility.

  2. To install your SSL Certificate, see Tomcat Server: Install Your SSL Certificate.

If you don't have access to a Windows computer, prefer not to use the ¶ºÒõ¹Ý Utility, or for some reason cannot use the utility, see Tomcat: Create CSR & Install SSL Certificate with Keytool.

I. Tomcat Server: Create Your CSR with the ¶ºÒõ¹Ý Utility

The ¶ºÒõ¹Ý® Certificate Utility for Windows streamlines the CSR creation process. With our utility, you can generate the CSR with one click.

  1. On a Windows computer, download and save the ¶ºÒõ¹Ý Certificate Utility for Windows zip file (¶ºÒõ¹ÝUtil.zip).

  2. Extract the ¶ºÒõ¹ÝUtil.exe from the zip file and then run the ¶ºÒõ¹Ý Certificate Utility for Windows© (double-click ¶ºÒõ¹ÝUtil.exe).

  3. In the ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock) and then click Create CSR.

    Utility Create CSR

  4. On the Create CSR page, provide the following information below and then click Generate.

    Certificate Type: Select SSL.
    Common name: The fully-qualified domain name (FQDN) (e.g., www.example.com).
    Subject Alternative Names: Are you requesting a Multi-Domain SSL Certificate? Then enter the SANs you want to include on the certificate (e.g., www.example.com, www.example2.com, and www.example3.net).
    Organization: Type your company's legally registered name (e.g., YourCompany, Inc.).
    Department: You can leave this box blank; you are not required to specify a department.
    Do you want to specify a department? Then type the name of the department in your organization you want to associate the certificate with (e.g., Web Security).
    City: Type city where your company is located.
    State: Use the drop-down list to select the state where your company is located.
    Country: In the drop-down list, select the country where your company is legally located.
    Key Size: In the drop-down list, select 2048 (unless you have a specific reason for using a large bit length).

    Edit CSR Details

  5. In ¶ºÒõ¹Ý Certificate Utility for Windows© - Create CSR window, complete one of following options:

    Copy CSR This option copies the certificate contents to the clipboard. Use this option if you are ready to paste the CSR into the ¶ºÒõ¹Ý order form.
    Note: The ¶ºÒõ¹Ý Certificate Utility does not store CSRs. Therefore, we recommend pasting the CSR into a text editor (such as Notepad) when using this option. If you close the CSR page and accidentally overwrite the clipboard contents without doing this, you will need to generate a new CSR.
    Save to File This option saves the CSR as a .txt file.

    Copy CSR

  6. When you're ready to order your SSL/TLS certificate, paste your CSR, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, into the ¶ºÒõ¹Ý order form.

    Note: Make sure that when you Select Server Software, you select Tomcat.

    Select Server Software

    Ready to order your Tomcat SSL/TLS certificate?

    Learn More
  7. After you receive your SSL/TLS certificate from ¶ºÒõ¹Ý, you can use the ¶ºÒõ¹Ý Certificate Utility to help you install it on your Tomcat server.

II. Tomcat Server: Install Your SSL/TLS Certificate

After ¶ºÒõ¹Ý validates your order and issues your SSL/TLS certificate, you can use the ¶ºÒõ¹Ý? Certificate Utility for Windows, to prepare the certificate file for installation on your Tomcat server.

Note: If you have not created your CSR with the ¶ºÒõ¹Ý Certificate Utility and ordered your SSL/TLS certificate, see Tomcat Server: Create Your CSR with the ¶ºÒõ¹Ý Utility.

To install SSL/TLS certificate on your Tomcat server, complete the steps below.

  1. Use the ¶ºÒõ¹Ý Certificate Utility to import your SSL/TLS certificate to your Windows computer.

    Step 1: Import Your SSL/TLS Certificate

  2. Use the ¶ºÒõ¹Ý Certificate Utility to export the SSL/TLS certificate in a .PFX format.

    Step 2: Export Your SSL/TLS Certificate in a .PFX Format

  3. Configure an SSL Connector on your Tomcat server.

    Step 3: Configure an SSL Connector

Step 1: Import Your SSL/TLS Certificate

After ¶ºÒõ¹Ý issues your SSL/TLS certificate, use the ¶ºÒõ¹Ý Certificate Utility, to import the file.

  1. On the Windows computer where you created the CSR, run the ¶ºÒõ¹Ý Certificate Utility for Windows© (double-click ¶ºÒõ¹ÝUtil.exe).

  2. In ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock) and then click Import.

    Install Certificate

  3. In the Certificate Import window, under File Name, click Browse and browse to the .p7b certificate file (e.g., your_domain_com.p7b) that ¶ºÒõ¹Ý sent you, click Open, and then click Next.

    Import Certificate

  4. In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.

    Note: The friendly name is not part of the certificate; it is used to identify the certificate.

    We recommend that you add ¶ºÒõ¹Ý and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.

    Friendly Name

  5. To import the SSL/TLS certificate to your server, click Finish.

    You should receive a message that the certificate was successfully imported.

  6. You should now see your SSL/TLS certificate in the ¶ºÒõ¹Ý Certificate Utility for Windows©.

    You are now ready to export your SSL/TLS ertificate as a .pfx file.

Step 2: Export Your SSL/TLS Certificate in a .PFX Format

After importing your SSL/TLS certificate to your Windows computer, use the ¶ºÒõ¹Ý Certificate Utility to export the certificate as a .pfx file.

  1. Run the ¶ºÒõ¹Ý Certificate Utility for Windows© (double-click ¶ºÒõ¹ÝUtil.exe).

  2. In the ¶ºÒõ¹Ý Certificate Utility for Windows©, click SSL (gold lock), select the SSL/TLS certificate you want to export as a .pfx file, and then click Export Certificate.

    Export Certificate

  3. In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, and then click Next.

    PFX File Export

  4. In the Password and Confirm Password boxes, create and confirm a password and then click Next.

    Password

  5. Next, click ¡­, browse for and select the location where you want to save the .pfx file, and then click Save.

    File Location

  6. To export the SSL/TLS certificate with private key, click Finish.

  7. After you receive the "Your certificate and key have been successfully exported" message, click OK.

    Your SSL/TLS certificate has been exported as a .pfx file.

Step 3: Configure an SSL/TLS Connector in Tomcat

After you have the .pfx file, you are ready to install it on your Tomcat server and configure the server to use the certificate.

  1. Copy the .pfx file to your Tomcat server.

  2. In your Tomcat installation directory, locate server.xml.

  3. Locate (or create) the connector on port 443 and edit it to use your new keystore.

    Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
               minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               SSLEnabled="true" clientAuth="false"
               sslProtocol="TLS"
               keystoreFile="your_certificate.pfx"
               keystorePass="changeIt" keystoreType="PKCS12"/>
    

    Where:

    • keystoreFile is the full path to your pfx file

    • keystorePass is the password you created when exporting the pfx

    • keystoreType MUST be set to "PKCS12"

  4. Save your changes to server.xml.

  5. Restart the Tomcat service.

  6. Congratulations! You've successfully installed your SSL/TLS certificate.

Test Your SSL/TLS Certificate Installation

Is your site publicly accessible? Then use our ¶ºÒõ¹Ý® SSL Installation Diagnostic Tool to test your SSL/TLS certificate installation; it detects common installation problems.

Troubleshooting

If you run into certificate errors, try repairing your certificate trust errors using ¶ºÒõ¹Ý® Certificate Utility for Windows. If this does not fix the errors contact support.