Buy from the highest-rated provider   Buy Certificate x

Tomcat SSL Installation Instructions

Installing the Certificates to the Keystore

  1. Download your certificate files from your certificate authority and save them to the same directory as the keystore that you created during the CSR creation process. The certificate will only work with the same keystore that you initially created the CSR with. The certificates must be installed to your keystore in the correct order.
  2. Install the Root Certificate file: Every time you install a certificate to the keystore you must enter the keystore password that you chose when you generated it. Enter the following command to install the Root certificate file:

    keytool -import -trustcacerts -alias root -file RootCertFileName.crt -keystore keystore.key

  3. If you receive a message that says "Certificate already exists in system-wide CA keystore under alias <...> Do you still want to add it to your own keystore? [no]:", select Yes. If successful, you will see "Certificate was added to keystore".

  4. Install the Intermediate Certificate file: If your certificate authority provided an intermediate certificate file, you will need to install it here by typing the following command:

    keytool -import -trustcacerts -alias intermediate -file IntermediateCertFileName.crt -keystore keystore.key

    If successful, you will see "Certificate was added to keystore".

  5. Install the Primary Certificate file: Type the following command to install the Primary certificate file (for your domain name):

    keytool -import -trustcacerts -alias tomcat -file PrimaryCertFileName.crt -keystore keystore.key

    If successful, you will see "Certificate reply was installed in keystore". You now have all the certificates installed to the keystore file. You just need to configure your server to use the keystore file.

Configuring your SSL Connector

    Tomcat requires an SSL Connector to be configured before it can accept secure connections.

    By default Tomcat looks for your Keystore with the file name .keystore in the home directory with the default password "changeit". The home directory is generally /home/user_name/ on Unix and Linux systems, and C:\Documents and Settings\user_name\ on Microsoft Windows systems. You will be able to change the password and file location.

    1. Copy your keystore file (your_domain.key) to the home directory.
    2. Open the file ${CATALINA_HOME}/conf/server.xml in a text editor.
    3. Uncomment the SSL Connector Configuration.
    4. Make sure that the Connector Port is 443.
    5. Make sure the keystorePass matches the password for the keystore and the keystoreFile contains the path and filename of the keystore.
    When you are done your connector should look something like this:

     <Connector className="org.apache.catalina.connector.http.HttpConnector" port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" acceptCount="10" debug="0" scheme="https" secure="true">
    <Factory className="" clientAuth="false" protocol="TLS" keystoreFile="/working/mykeystore" keystorePass="password"/>
    6. Save the changes to server.xml
    7. Restart Tomcat

Useful Tomcat SSL Links

Tomcat SSL Installation Instructions Comments



I have created .csr file and i like to know what is the next step to do furthur to create a proper certificate that can be used in the server.xml file .

Looking forward for your reply ASAP.

With regards


is it possible to specify more than one keystorefile and keystorepass within one connector?

something like: keystoreFile="/working/mykeystore" keystorePass="password" keystoreFile1="/working/2ndkeystore"

Thx and KR


Next you need to get crt file either from third party(mostly for prod env) or self signed certificates.


We had a SSL certificate issued from which comes with 3 separate files (root, intermediate and actual certificate file). Above procedure did not work for our case. We had to export the certificates to PKCS format and later import back to JKS store (i.e. some_file.jks)

Cristy Manjarrez(2015-05-11)

hey Im having the same issue, got 3 files from but now sure how can install them,...can you please tell me how you did it ? Thanks

ANAND SIRASAGI(2016-04-23)

@iTwin it would be a great help if you provide the steps for installing ssl issued from godaddy
and the Document provided by them isvery poor
Thanks in advance

Mallikarjun R(2017-08-14)

Hi,Could you please tell me the steps,i have 3 files for tomcat ssl,taken from
How to export to PKCS and import back to JKS?



I'm new to SSL, seeking some help.

We use Tomcat on a Windows Server box. Tomcat is THE webserver, we're not using IIS or anything else.

We have a certificate that expires in 6 months. 5000 client sites access the Tomcat server and authenticate the server via said cert.

Current cert. was generated 9 years ago and there's no documentation on what was done at that time. People move on.

We need to regenerate the/a certicate with a new expiration date.
We don't want the certificate warning to appear to the users at the client sites if that is possible.

Please advise (or ask questions).



Install the Primary Certificate file at step 4 above(install SSL cert) and got the following error:

Keytool error: java lang. exception: failed to establish chain from reply

anyhelp would be appreciated.

Vidal Cazarez(2014-12-13)

Here are the steps I've used to create a Java Keystore, generate a CSR, then submit the CSR to a trusted Authority or your IT Security Dept to sign your CSR Cert Req. see below for specific steps.

echo "1) Create the keystore with the DN and alias: ${KEYSTOREPATH}/${KEYSTOREFILE}"

keytool -genkey -dname "cn=$KEYHOST, CN=Vidal Issuing CA, OU=Certification Authorities, O=Vidal\, Cazarez Pro services, C=US" \
-keyalg RSA -keysize 2048 -alias tomcat -keypass `cat "${KEYSECRET}"` -keystore "${KEYSTOREPATH}/${KEYSTOREFILE}" -storepass "`cat ${KEYSECRET}`" -validity "${KEYDAYS}"

echo "2) Request for certificate (CSR): ${KEYSTOREPATH}/${CSRHOST} alias tomcat"
keytool -certreq -file ${KEYSTOREPATH}/${CSRHOST} -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storetype jks \
-storepass `cat ${KEYSECRET}` -keypass `cat ${KEYSECRET}` -alias tomcat

echo "3) Import the Verisign public certificate - RootCA: ${KEYSTOREPATH}/rootCA.cer"
# echo keytool -import -alias root -file ${KEYSTOREPATH}/root.cer -trustcacerts -storetype jks -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storepass `cat ${KEYSECRET}`
keytool -import -alias root -file ${KEYSTOREPATH}/rootCA.cer -trustcacerts -storetype jks -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storepass `cat ${KEYSECRET}`

echo "4) Import the Verisign intermediate certificate - IssuingCA: ${KEYSTOREPATH}/IssuingCA.cer"
# echo keytool -import -alias intermediate -file ${KEYSTOREPATH}/intermediate.cer -trustcacerts -storetype jks -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storepass `cat ${KEYSECRET}`
keytool -import -alias intermediate -file ${KEYSTOREPATH}/IssuingCA.cer -trustcacerts -storetype jks -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storepass `cat ${KEYSECRET}`

echo "5) Send CSR and form to Service Provider to have Verisign sign the CSR"

echo "6) Service Provider obtains signed certificate from Verisign and returns it to you"

echo "7) Import signed CSR Cert: ${KEYSTOREPATH}/${CERTHOST}"

keytool -import -alias tomcat -file ${KEYSTOREPATH}/${CERTHOST} -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storepass `cat ${KEYSECRET}` -keypass `cat ${KEYSECRET}`

echo "8) List keyStore (JKS) contents to verify the keys and certificates: ${KEYSTOREPATH}/${KEYSTOREFILE}"

# keytool -list -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storetype jks -storepass `cat ${KEYSECRET}` -v
keytool -list -keystore ${KEYSTOREPATH}/${KEYSTOREFILE} -storetype jks -storepass `cat ${KEYSECRET}` -v

# End


Hi All , It will be great help any of you can tell me how to check which is root certificate and which one is
intermediate , as i do not have this information , I just have received the .crt files i.e,. certificates , but i do not have any information of Certificate chain .
So when i am installing certificate to my keystore of apache tomcat , so my certificate heirarchy does not contain a chain of root intermediate primary.
How i can resolve this problem .Will be great help of me

Ritesh Sharma(2015-03-18)

Dear team,

We have installed SSL Certificate in Tomcat server for one of our Portal which in using our customers through External.when they open the link error is showing as

HTTPS:- is showing in red colour with Cross mark in URL

Your connection is not private with lock showing in red colour with Cross

Click on advanced


Click on Proceed to Site name (unsafe)

Now our site is open with unsafe mode

Where exactly the error how to rectify please suggest.



Hi, I was looking at the other article at

to create the self signed certificate. From that article I was able to generate keystore.jks. Can you pls provide me the steps for the Tomcat configuration using the keystore.jks file. In this article you user three files, but I have only one file that is keystore.jks

Илья Павлов(2020-11-03)

Hi, Kiran

You can find the answer here:


Step 4 is incorrect, you must not use -trustcacerts with primary certificate.

NAFEEYA SAMAR(2016-11-23)


If I have two tomcats running in a clustered environment, is it necessary to install the SSL certificates on both the tomcats? If , you have imported the certificates and installed them on one tomcat but have not yet restarted the tomcat to apply the changes, and by mistake, you have forgotten to import the certificates in the other running tomcat, what happens?? Will it cause an outage?


SSL Shopper(2016-11-23)

As far as I am aware, you do need to install the certificate on both tomcat servers or an SSL connection will only work when the request is sent to the server with the SSL certificate installed.

NAFEEYA SAMAR(2016-12-01)


Thanks for your reply. I forgot to mention that both the tomcats already had a certificate installed earlier which had not yet expired. But since their date of expiry was near, we planned to install the new certificates. Please re assess the situation with this background and let me know your inputs.


Advertisement • Hide