Support Desk

Install SSL Certificate on Tomcat Server using Java Keytool

Download and copy your certificate files to your server

Download your SSL certificate and support files by clicking on the download link in your fulfillment email or from your GeoCerts SSL Manager account. Download the PKCS#7 formatted version of your certificate.

  1. Download the PKCS#7 version of your certificate to your server
  2. Use the following command to install the PKCS#7 certificate into your keystore. You MUST use the same keystore used for your private key and CSR.
    keytool -import -trustcacerts -alias tomcat -file your_site_name.p7b -keystore mykeystore.jks
    You MUST you the same alias used when the keystore was created, in this case the alias used was tomcat
  3. Enter your keystore password
  4. You should get the follow response:
    ... is not trusted. Install reply anyway? [no]:  yes
  5. Enter 'yes' and hit Enter.
  6. You should get the following response:
    Certificate reply was installed in keystore

Note: When executing the command to import the SSL certificate, you must specify the actual Alias used when you initially created the keystore. If you are unsure of this, run the following command to see the contents of your keystore: keytool -list -keystore mykeystore.jks -v

The SSL Certificate and intermeidiate cert are now installed into your keystore.

Configure Tomcat

  1. Locate the tomcat config file (example server.xml), the config filename can be different depending on your Tomcat version or flavour. The config file will need to be updated to reference your keystore file and password.
  2. Open the server.xml file in a text editor (such as vi or notepad). The server.xml file is usually located in the conf folder of your Tomcat's home directory.
  3. Locate the connector that you want to use the new keystore to secure.
  4. Make sure you are using the correct port (usually 443 or 8443).
  5. If necessary, uncomment the connector. To uncomment a connector, remove the comment tags (<!-- and -->).
  6. Specify the correct keystore filename and password in your connector configuration. When you are done, your connector should look something like this:
    <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
    maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100"
    scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server"
    keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />
  7. Note: If you are using a version of Tomcat prior to Tomcat 7, you need to change "keystorePass" to "keypass".
  8. Save the server.xml file
  9. Restart Tomcat

Verify Installation

  • To verify if your certificate is installed correctly, use our Certificate Installation Checker.
  • Test your SSL certificate by using a browser to connect to your server. Use the https protocol directive. For example, if your SSL was issued to, enter into your browser.
  • Your browser's padlock icon will be displayed in the locked position if your certificate is installed correctly and the server is properly configured for SSL.

Additional Resources

Apache Tomcat 6.0 SSL Configuration HOW-TO