Generate CSR: Tomcat
Follow these instructions to generate a Private Key and CSR.
- Using the java keytool command
line utility, the first thing you need to do is create a keystore and
generate the key pair. Do this with the following command:
keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -sigalg SHA256withRSA -keystore mykeystore
2048 in the command above is the key
bit length. GeoTrust recommends a key bit length of 2048.
- You will be prompted for a password for the keystore. Tomcat uses a default password
of "changeit". Hit enter if you want to keep the default password.
If you use a different password, you will need
to specify a custom password in the server.xml configuration file.
- You will be prompted for a password for the private key within the keystore.
If you press enter at the prompt, the key password is set to the same password
as that used for the keystore from the previous step. The key password must
be at least 6 characters long. Make a note of the passwords. If lost they cannot
You will be asked for several pieces of info which will be used by GeoTrust to create
your new SSL certificate. These fields include the Common Name (aka domain, FQDN), organization,
country, key bit length, etc. Use the CSR Legend in the right-hand column of this page
to guide you when asked for this information. The following characters should not
be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &
- On some older versions of the keytool utility, the next field that you will
be prompted for is
What is your first
and last name? At this prompt, you must specify the Common
Name of your web site (see CSR legend), not your real first
and last name.
- You will then be prompted for your organizational unit, organization, etc.
- Now generate the Certificate Signing Request (CSR) from
the private key generated above using the following command:
-certreq -alias tomcat -file yourdomain.csr -keystore mykeystore This
creates a CSR and stores it in a file named
Save a copy of your CSR. The CSR will be needed during the online order
process. You'll be asked to copy-and-paste your CSR into a special CSR box.
Below is an example of what your CSR will look like. This
is a example only and cannot be used to generate your SSL certificate.
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
Apache Tomcat 6.0
SSL Configuration HOW-TO
When generating your CSR you will be asked to input
a few pieces of info. Below are some common fields with descriptions and examples.
(also see About the CSR)
Common Name (CN)
The fully-qualified-domain name for your certificate. Examples include...
- *.domain.com (for wildcard SSL)
The exact legal name of your organization. Do not abbreviate your
organization's name. Example: Metro Realty LLC or Flowers by Jenny
Organizational Unit (OU)
The section or division of the organization. Example: Sales, Support, Customer Service
City or Locality (L)
The city where your organization is legally located. Cannot be
abbreviated. Example: Atlanta
State (S) or Province
The state or province where your organization is legally located. Cannot
be abbreviated.. Example: Georgia
The two-letter ISO Country Code abbreviation for your country. Example: US, CA, GB (must be two-letters)
Any email address. This field is arbitrary but must be filled in. GeoTrust
will not use this email address to process your order. Example: firstname.lastname@example.org
Key Bit Length
The key bit length has to do with the initial key exchange, not the
encryption strength of your certificate. GeoTrust recommends a key bit length of 2048.