Step-by-Step procedure to generate a CSR and install an SSL Certificate on a Tomcat web server

Generate a CSR and Install an SSL on your Tomcat server in no time

Tomcat is an open-source web-server by Apache Software Foundation, which executes Java servlets and provides web-pages that include Java Server Page coding. Often, it is described as ‘reference implementation’ of Java Server page specifications and Java Servlet. It is available from Apache’s website in primary and source version and can be used as a single product with its own internal server or in a group with other web-servers like Apache, Netscape Enterprise server and Microsoft IIS & personal web server.

How can I generate a CSR in Tomcat?

To generate a Certificate Signing Request (CSR), you need to create a new keystore, only after that you can successfully generate a new CSR.

A. Create a Keystore with Keytool

1. To create a new keystore with keytool, you may need to add the java /bin/ directory to your PATH before the keytool command is recognized. When it’s done, then enter following comment in keytool:
   keytool -genkey -keyalg RSA -keysize 2048 -keystore domain.keystore
2. Now enter the password. (Default – change it)
3. In the next step, you will be asked for organization details like:
   • Enter keystore password: (NOTE remember this for later use)
   • Your first and last name- This is the Common Name (Domain Name)
   • What is the name of your organizational unit
   • Organization Name
   • City or Locality
   • State or Province
   • Two-letter country code for this unit
4. Confirm the information you filled is correct by entering ‘y’ or ‘yes’.
5. In this step you will be asked for password confirmation. (Remember the password to create a new CSR)
6. With this step, your new keystore is created.

Alternative Keystore Generation Method
There is an alternate method to create your keystore, which don’t involve all such prompts.

–> keytool -genkey -keyalg RSA -keysize 2048 -dname “CN=www.yourdomain.com, O=Default, C=US” -keystore domain.keystore

B. Create CSR with Keytool

1. Enter the following comment in the keytool:keytool -certreq -keyalg RSA -file domain.csr -keystore domain.keystore
2. Enter the keystore password that you chose to create a new keystore.
3. If you entered the correct password then your CSR is created.

Certificate Installation procedure in Tomcat

To secure the Tomcat web-server, it is very important for a user to install an SSL certificate on it. Here is a step-by-step, detailed guide on how to install an SSL certificate on it successfully:

Step 1: Download the certificate from the CA

The installation procedure starts with downloading your certificate file from the certificate authority. Now, save it to the directory, where you saved your keystore during CSR-generation.

Step 2: Install the Root certificate

While installing the certificate to the keystore, you have to enter the exact password that you chose when you generated it. To install the Root certificate file, enter the following code:

keytool -import -trustcacerts -alias root –file RootCertFileName.crt -keystore domain.keystore

Proceed by selecting ‘Yes’, when you receive a message that asks “Certificate already exist in system-wide CA keystore under <>. Do you still want to add it to your own keystore?” After that, you should soon get a confirmation stating a successful certificate installation in keystore.

Step 3: Intermediate certificate file Installation

The intermediate certificate file provided by a certificate authority can be installed by typing the following command:

keytool -import -trustcacerts -alias intermediate -file IntermediateCertFileName.crt -keystore domain.keystore

Note:
Depending on the type of certificate purchased, there may be more than one Intermediate certificate in the chain of trust. Please install all intermediates in numerical order until you get to the domain/end entity certificate. Upon successful installation, the following message will appear: ‘Certificate was added to keystore’.

Please click here to determine which chain of trust you have. (Which is the Root? Which is the Intermediate?)

Step 4: Primary certificate file Installation

For installing the primary certificate file for your domain name, you need to type following command:

keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore domain.keystore

This would be followed by a message that informs about the successful installation in keystore.

With this step, your keystore shall have all the certificates successfully installed in it. All you need to do to use the keystore file is server configuration.

Step 5: Configure SSL Connector

For Tomcat to accept secure connections, it requires successful configuration of an SSL Connector. Here is how to do it:

By default Tomcat looks into the home directory for your keystore with the file name .keystore and keystore password ‘changeit’ and you can change the password and file location. Usually, the home directory in Unix and Linux system is /home/user_name/ and C:\Documents and Settings\user_name\ on Microsoft© Windows systems.

Option – 1

1. 1. Open Tomcat server.xml file in a text editor. This ‘.xml’ file is usually located in your Tomcat’s home directory folder.
   2. Proceed by locating the connector which you want to secure using the new keystore. Generally, the connector having port 443 or 8443 is used.
   3. Uncomment the SSL connection configuration by removing the comment tags (<!– and –>), if necessary.
   4. In the connector configuration, specify the correct keystore filename and password. Your connector should now look something like this.
      To use a JKS (Java Key Store) file: <Connector port=”443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” SSLEnabled=”true” clientAuth=”false” sslProtocol=”TLS” keyAlias=”server” keystoreFile=”/home/user_name/ your_keystore_file” keystorePass=”your_keystore_password” />
      To use a PFX/P12 (PKCS#12) file: <Connector port=”443″ maxHttpHeaderSize=”8192″ maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” keystoreFile=”/home/user_name/your_keystore_file” keystorePass=”your_keystore_password” keystoreType=”PKCS12″/>
      Please note, if you are using a version prior to Tomcat 7, you need to change ‘keystorePass’ to ‘keypass’.
   5. Save all the changes in the server.xml file.
      
      Note 1: You may need to comment out the following line:
      <Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />like so: <!–<Listener className=”org.apache.catalina.core.AprLifecycleListener” SSLEngine=”on” />–>
      Note 2: You may also need to set SSLEnabled=”true” on the Connector for the SSL connection to function or else only an HTTP connection would be triggered. However, this is often not required.
   6. Now restart Tomcat.

Keep in mind that all Connector arguments are case sensitive!

Option – 2

Configure an SSL Connector using admintool

1. Start Tomcat.
2. Start Tomcat admintool by entering http://localhost:8080/admin in web browser.
3. Type your admin username and password.
4. Choose ‘service’(Java Web Services Developer Pack) in the left pane.
5. Select ‘Create New Connector’ from the drop-down list on the right.
6. In the Type field, Choose ‘HTTPS’
7. Enter ‘443 or 8443’ in the ‘Port’ field. This defines the TCP/IP port number on which Tomcat will listen for secure connections
8. Enter the Keystore Name and Keystore Password if:
9. your keystore is named something other than .keystore
10. if .keystore is located in a directory other than the home directory of the machine on which Tomcat is running,
11. If the password is something other than the default value of ‘changeit’. If you have used the default values, you can leave these fields blank.
12. Save the new Connector by selecting ‘Save’.
13. Select ‘Commit Changes’ to save the new Connector information to the server.xml file so that it is available the next time Tomcat is started.