Install and Configure Your SSL/TLS Certificate in Tomcat Server

Use Java Keytool to Install Your SSL/TLS Certificate to the Keystore

  1. Download Certificate

    • Save the your_domain_com.p7b certificate to the same directory as your Java keystore.

    • Note: If you used our Keytool CSR Command Generator or followed our instructions to generate your CSR, the Keystore file is named your_site_name.jks.

  2. Install the Certificate File in Your Keystore

    • Important: You must install the SSL/TLS Certificate file to the same keystore and under the same alias name (e.g., "-alias server") that you used to generate your CSR. If you try to install the certificate to a different keystore or under a different alias, the import command will not work.
    • Run the command below to import the certificate into your keystore.
keytool -import -alias server -file your_site_name.p7b -keystore your_site_name.jks
  • In the command above, your_site_name.p7b should be the name of the certificate file you downloaded, your_site_name.jks should be the name of the keystore file you created in Step 1: Create Your CSR with Java Keytool in Tomcat Server or when using the DigiCert Java Keytool CSR Wizard, and server should be the alias name you used when generating your CSR.
  • You should get a confirmation that the "Certificate reply was installed in keystore".
  • If you are prompted to trust the certificate, type y or yes.
  • The installation of this file loads all necessary certificates to your keystore.
  1. Your keystore file (your_site_name.jks) is now ready to be used on your Tomcat Server. Now, you are ready to configure your server to use it.

Configure Your SSL/TLS Connector

Before your Tomcat server can accept secure connections, you need to configure an SSL Connector.

  1. Use a text editor to open the Tomcat server.xml file.
    • Typically, the server.xml file is in the conf folder in your Tomcat’s home directory.
  2. Locate the connector you want the new Keystore to secure.
    • Usually, a connector with port 443 or 8443 is used; see step 4. Note that you may need to uncomment the connector – remove the comment tags ().
  3. Configure your Tomcat connector.
    • Make sure to specify your new keystore filename and password in your connector configuration.
  4. When you are done, your connector should look something like the example below.
    • Note: Are you using a version of Tomcat prior to Tomcat 7? Then you need to change the keystorePass to keypass.
    <Connector port="443" maxHttpHeaderSize="8192" maxThreads="100"
           minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           SSLEnabled="true" clientAuth="false"
           sslProtocol="TLS" keyAlias="server"
           keystorePass="your_keystore_password" />
    • In the connector configuration above, keystoreFile is the full path to your keystore file, keystorePass is the password you used to create your keystore, and keyAlias is the same alias name (e.g., "server") that you used to generate your CSR.
  5. Save your changes to the server.xml file.
  6. Restart the Tomcat service.
  7. Congratulations! You've successfully installed your SSL certificate.