Purpose: SSL/TLS Certificate Installation Guide
For Tomcat Version 8.5+
Need Certificate Signing Request (CSR) help? Tomcat uses Keytool to create a CSR. You can use our Keytool CSR command Builder here to help you get started.
For help using the Keytool CSR command Builder read this article here.
After you have obtained the command to use to create the CSR from the command builder, open your terminal and paste the command. A CSR and private key will be created.
Before you begin...
- Tomcat includes a certificate utility called Keytool. All of the steps below will be performed using Java keytool.
- Important: In order to install your certificate, you must use the same keystore that was created when you requested the certificate. You must also use the same keystore alias name that was used when the keystore and corresponding private key were generated.
- Never share private keys or keystore files.
- If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).
- It is best practice to ensure that you have current and up to date Ciphers and Protocols to ensure the best security when deploying a new Private key and Server Certificate.
- Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
- For more information on SSL/TLS Best Practices, click here.
Installing your Entrust SSL/TLS Certificate on a Tomcat Server
1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a file named CertificateBundle.pem. This file includes your signed SSL/TLS certificate and the combined certificate chain.
2. Type and run the following command on your Tomcat server – the sections that are underlined in this command are variables based on your keystore file name and the alias name you used to create your keystore and Certificate Signing Request.
Please note: It is recommended that you type the command into your terminal instead of pasting the command.
keytool -import -trustcacerts -alias server -file CertificateBundle.pem -keystore yoursite.jks
- You will be prompted to supply your keystore password. You must supply the password to complete the import process.
- If a prompt appears asking you if you want to trust the certificate, enter yes.
- If the certificate installs correctly, you will see a message in the prompt that states “Certificate reply was installed in keystore”
- Configure your Tomcat server to use the TLS protocol along with the Java Keystore. To do this, you must edit your Tomcat server.xmlfile, which is typically located in the conf folder of your Tomcat’s home directory.
Before making any changes, you should save a copy of your original server.xml file in case you run into any issues.
Open the server.xml file in a text editor where you will need to specify your keystore file name, password, and alias. You should see a section that looks like the following:
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="yourkeystore.jks" keystorePass="your_keystore_password" />
- Restart your Tomcat Server to complete the certificate installation process.
Your SSL/TLS Certificate should now be installed. If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance.
Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.
|Australia||0011 - 800-3687-7863|
|Austria||00 - 800-3687-7863|
|Belgium||00 - 800-3687-7863|
|Denmark||00 - 800-3687-7863|
|Finland||990 - 800-3687-7863 (Telecom Finland)|
00 - 800-3687-7863 (Finnet)
|France||00 - 800-3687-7863|
|Germany||00 - 800-3687-7863|
|Hong Kong||001 - 800-3687-7863 (Voice)|
002 - 800-3687-7863 (Fax)
|Ireland||00 - 800-3687-7863|
|Israel||014 - 800-3687-7863|
|Italy||00 - 800-3687-7863|
|Japan||001 - 800-3687-7863 (KDD)|
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
|Korea||001 - 800-3687-7863 (Korea Telecom)|
002 - 800-3687-7863 (Dacom)
|Malaysia||00 - 800-3687-7863|
|Netherlands||00 - 800-3687-7863|
|New Zealand||00 - 800-3687-7863|
|Norway||00 - 800-3687-7863|
|Singapore||001 - 800-3687-7863|
|Spain||00 - 800-3687-7863|
|Sweden||00 - 800-3687-7863 (Telia)|
00 - 800-3687-7863 (Tele2)
|Switzerland||00 - 800-3687-7863|
|Taiwan||00 - 800-3687-7863|
|United Kingdom||00 - 800-3687-7863|
0800 121 6078
+44 (0) 118 953 3088