Archive for November, 2009

SSL Certificate on Tomcat


     SSL (Secure Sockets Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private and integral. SSL is an industry standard and is used by millions of websites in the protection of their online transactions with their customers.

    To be able to create an SSL connection a web server requires an SSL Certificate. our web server then creates two cryptographic keys – a “Private Key” and a “Public Key”.

    The Public Key does not need to be secret and is placed into a Certificate Signing Request (CSR). You should then submit the CSR, during the SSL Certificate application process, the Certification Authority will validate your details and issue an SSL sertificate containing your details and allowing you to use SSL.

    Your web server will match your issued SSL Certificate to your Private Key, it it matches then it establish an encrypted link between the website and your customer’s web browser. Below are the steps for how to Generate a SSL certificate on Apache and Tomcat.

        -: Generate SSL Certificate on Tomcat :-   

1) Using the “java keytool” command line utility, the first thing you need to do is
   create a keystore and generate the key pair. You can do the same with the

    SHELL> keytool -genkey -keysize 1024 -keyalg RSA -alias tomcat -keystore \


    The above command will generate a 1024 bit keystore with the RSA algorithem.
    After running the above command it will ask some of the question Which you will
    have to answer. The question are,

    Enter keystore password: 
    Re-enter new password:
    What is your first and last name?
    What is the name of your organizational unit?
      [Unknown]:  Information Technology
    What is the name of your organization?
      [Unknown]:  Bhavesh Private Limited
    What is the name of your City or Locality?
      [Unknown]:  Mumbai
    What is the name of your State or Province?
      [Unknown]:  Maharastra
    What is the two-letter country code for this unit?
      [Unknown]:  IN
    Is, OU=Information Technology, O=Bhavesh Private Limited, L=Mumbai,
    ST=Maharastra, C=IN correct?
      [no]:  yes

    Enter key password for <tomcat>
            (RETURN if same as keystore password): 

2) Now with above generated keystore you need to create a generate new Certificate
   Signing Request (CSR). To create a CSR run the below command at your command prompt.

    SHELL> keytool -certreq -alias tomcat -file <yourdomain.csr> \
       -keystore mykey.keystore

    The new CSR is generated through KEYSTORE. The content of new generated cSR
    (yourdomain.csr) looks like this,


3) Now you will need to purchase SSL certificate from the respective Certificate
   Authority like ( or Geotrust or Verisign). Where you will get one
   account from which you can upload your CSR. After uploading CSR you will get
   one mail stating email verification where you will be getting the HTTP link from
   which you will approve the order, then after you will get your SSL certificate
   through email.

   Now you have your SSL certificate, so run the below command to import the same on
   you KEYSTORE file.

    SHELL> keytool -import -alias tomcat -keystore mykey.keystore -trustcacerts -file

    We have imported the SSL certificate to KEYSTORE.   

4) Now add the below mentionedd line to “SSL/TLS Connector configuration” part of your
   tomcat configuration file.


    “keystorePass” will be the password which you have given while generating
    “mykey.keystore” file.

5) Let restart the Tomcat service and that’s it.