SSL Certificate Implementation

Generating a Keystore and CSR in Tomcat

Using keytool, follow these steps to generate a keystore and CSR on your server.

1. Enter the following command into keytool to create a keystore:

keytool -keysize 2048 -genkey -alias domain -keyalg RSA -keystore domain.keystore

2. Enter a Password. The default is changeit.

3. Enter Distinguished Information:

 First and Last Name — the fully-qualified domain name, or URL, you're securing.
 Organizational Unit — Optional. If applicable, you can enter the DBA name in this
field.
 Organization — the full legal name of your organization.
 City/Locality — Name of the city in which your organization is registered/located —
do not abbreviate.
 State/Province — Name of state or province where your organization is located —
do not abbreviate.
 Country Code — the two-letter International Organization for Standardization (ISO)
format country code for where your organization is legally registered.

4. Enter the following command into keytool to create a CSR:

keytool -certreq -keyalg RSA -alias domain -file domain.csr -keystore domain.keystore

5. Enter the Password you provided in Step 2.

6. Open the CSR file, and copy all of the text, including comments.
7. Paste copied CSR contents to online certificate request form of CA.
Installing Your SSL in Tomcat

Place all the certificates received from CA and keystore used for generating CSR to the lib directory of
the tomcat and follow following steps:

Open Command prompt

Go to lib directory

1. Import Root Certificate 

      keytool -import -trustcacerts -alias AddTrustExternalCARoot -file AddTrustExternalCARoot.crt -
keystore domain.keystore
2. Import Intermediate(s) 
       keytool -import -trustcacerts -alias intermediate_filename -file intermediate_filename.crt -
keystore domain.keystore

Note:

Depending on the type of certificate that was purchased, there may be more than one Intermediate
certificate in the chain of trust. Please install all intermediates in numberical order until you get to
the domain/end entity certificate. 

3. Import Entity/Domain certificate 

 keytool -import -trustcacerts -alias mykey -file yourDomainName.crt -keystore domain.keystore

you should you should receive a message: Certificate reply was installed in keystore if successful. It
should NOT match the output of Step 1 or 2 above. 

Note: If an alias was specified upon creation of the CSR then please use that alias instead of mykey.
Configure Tomcat (Webserver) for SSL
Write the connecter configuration in server.xml of tomcat present at %Tomcat Home%/conf

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"

secure="true" SSLEnabled="true" keystoreFile="domain.keystore" keystorePass="keystore password"
clientAuth="false" sslProtocol="TLS"></Connector>

Note: After the configuration restart Webserver’s service