Tomcat – CSR Instructions

To generate a Certificate Signing Request (CSR) you will first need to create a keystore for your Tomcat server. Tomcat uses keystores for its certificate web server configurations. If you lose your keystore file or your password to access it your SSL Certificate will no longer match and you will need to replace the certificate.

Note: Tomcat is a very custom environment and your system may differ. Below are generalized instructions. The naming conventions of the files and alias names used can be specified to fit your own environment.  You will need to adjust these instructions appropriately.

In order to generate a keystore for your Tomcat system perform the following instructions listed below.

Step 1: Create a Keystore:

1. Create a certificate keystore and private key by executing the following command:
   Note: You will specify a Privatkey Alias. This Alias will be used for CSR creation and eventually installation of the SSL Certificate.

   keytool -genkey -alias create_Privatkey_Alias -keyalg RSA -keystore path_and_create_KeystoreFilename.jks -keysize 2048

   

2. Enter and re-enter a keystore password.
   Note: You will need to use this custom password later for installation and to configure the Tomcat server.xml configuration file. In addition, remember your Alias Name for your private key. you will require it for installation.
3. Fill out the applicable information:
   
   • First and Last Name? or Common Name (CN): The Common Name is the Host + Domain Name. It looks like “www.mydomain.com” or “company.com”.
   • Organizational Unit (OU): This field is optional; but can be used to help identify certificates registered to an organization. The Organizational Unit (OU) field is the name of the department or organization unit making the request.
   • Organization (O): If your company or department has an &, @, or any other symbol using the shift key in its name, you must spell out the symbol or omit it to enroll.  Example: XY & Z Corporation would be XYZ Corporation
   • Locality or City (L): The Locality field is the city or town name, for example: Boston
   • State or Province (S): Spell out the state completely; do not abbreviate the state or province name, for example: New York
   • Country Name (C): Use the two-letter code without punctuation for country, for example: US or CA.
     
     
     
4. Confirm or reject the details by typing “Yes” or “No” and press Enter.

Step 2: Creating your CSR from your keystore:

1. The CSR is then created using the following command:

2. keytool -certreq -keyalg RSA -alias your_privatekey_alias -file your_csr_file.csr -keystore your_keystore_filename.jks

3. Create a copy of the keystore file. Having a back-up file of the keystore at this point can help resolve installation issues that can occur when importing the certificate into the original keystore file.
4. To copy and paste the file certreq.csr into the enrollment form, open the file in a text editor that does not add extra characters (Notepad or Vi are recommended).
   
   For a list of Keytool commands visit our article Java Keytool Commands. 

   Your CSR request has been created and is ready for you to copy and paste its contents into the enrollment portal.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.

For Tomcat installation instructions:

Tomcat using X509 – SSL Installation

Tomcat using pkcs7 – SSL Installation

Tomcat Support

For more information refer to Tomcat