Home » SSL » Install SSL Certificate on Apache Tomcat Centos/ Ubuntu

Install SSL Certificate on Apache Tomcat Centos/ Ubuntu

Apache Tomcat, basically referred to as Tomcat Server, is a free open-source Java Servlet Container which is developed and produced by the Apache Software Foundation. In this article we will tell you that how to Install SSL Certificate on Apache Tomcat Centos Linux server Install SSL Apache Tomcat

. We are supposing that you already have setup working Tomcat server in your system. If you still not installed on your system then you can visit to our article Install Tomcat server on RHEL, Centos or Ubuntu Systems.

Create keystore using keytool.

A Java KeyStore (JKS) is a depository (A database that can store keys) of security certificates. And Keytool is a command line utility to manage key and certificate. You can keytool command line utility through JDK and JRE packages.

[root@linuxp ~]#keytool -genkey -alias linuxpcfix.com -keyalg RSA -keystore /mnt/keystore

Enter keystore password:

Re-enter new password:

They don’t match. Try again

Enter keystore password:

Re-enter new password:

What is your first and last name?

  [Unknown]:  Gajendra

What is the name of your organizational unit?

  [Unknown]:  Linuxpcfix

What is the name of your organization?

  [Unknown]:  Linuxpcfix

What is the name of your City or Locality?

  [Unknown]:  Jaipur

What is the name of your State or Province?

  [Unknown]:  Rajasthan

What is the two-letter country code for this unit?

  [Unknown]:  IN

Is CN=Gajendra, OU=Linuxpcfix, O=Linuxpcfix, L=Jaipur, ST=Rajasthan, C=IN correct?

  [no]:  yes

Enter key password for < linuxpcfix.com >

        (RETURN if same as keystore password):

Re-enter new password:


The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore /mnt/keystore -destkeystore /mnt/keystore -deststoretype pkcs12”.

Get Certificate Authority Signed Certificate.

you want to install a valid ssl from certificate authorities, then need to first
generate a CSR requiest Using the following command.

[root@linuxp ~]#keytool -certreq -keyalg RSA -alias linuxpcfix.com -file linuxpcfix.com.csr -keystore /etc/pki/keystore

The above command will ask you for keystore password and generate the CSR file. After that  send this generated CSR to certificate authorities and purchase ssl certificate.
After some type of verification from certificate authority, the certificate issued by CA, you will get following files – root certificate, intermediate certificate, and certificate file.
Install the root certificate:

[root@linuxp ~]# keytool -import -alias root -keystore /etc/pki/keystore -trustcacerts -file root.crt

Install the intermediate certificate:

[root@linuxp ~]# keytool -import -alias intermed -keystore /etc/pki/keystore -trustcacerts -file intermediate.crt

Install the issued certificate:

[root@linuxp ~]#keytool -import -alias linuxpcfix.com -keystore /etc/pki/keystore -trustcacerts -file linuxpcfix.com.crt

Configure keystore in tomcat

Now go to your Tomcat Catalina home directory and revise conf/server.xml file in your preferred editor and bring up to date the configuration as below . You can change the port from 8443 to some other port as you like.

<Connector port=”8443″ protocol=”HTTP/1.1″
keystorePass=”_password_” />

Finally Restart your tomcat Apache server.
To restart tomcat server go to tomcat catalina home directory and run below command.

[root@linuxp ~]#./bin/shutdown.sh
[root@linuxp ~]#./bin/startup.sh

Some useful Java Keytool Commands.
• These commands permit you to get a replacement Java Keytool keystore file, produce a CSR, and import certificates. Any root or intermediate certificates can have to be compelled to be foreign before commerce the first certificate for your domain.
To Produce a Java keystore and key pair

[root@linuxp ~]#keytool -genkey -alias linuxpcfix.com -keyalg RSA -keystore keystore.jks -keysize 2048

• To Generate a CSR) for an existing Java keystore file execute below command.

[root@linuxp ~]#keytool -certreq -alias linuxpcfix.com -keystore keystore.jks -file linuxpcfix.com.csr

To fetch a root or intermediate CA certificate run following command

[root@linuxp ~]#keytool -import -trustcacerts -alias root -file Thawte.crt -keystore keystore.jks

To fetch a signed primary certificate to an already existing Java keystore

[root@linuxp ~]#keytool -import -trustcacerts -alias linuxpcfix.com -file linuxpcfix.com.crt -keystore keystore.jks

To fetch a keystore and self-signed certificate

[root@linuxp ~]#keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

If you would like to verify the information within a certificate, or Java keystore, run the following command commands.
To verify a stand-alone certificate

[root@linuxp ~]#keytool -printcert -v -file linuxpcfix.com.crt

To verify which certificates are in a Java keystore

[root@linuxp ~]#keytool -list -v -keystore keystore.jks

To verify a particular keystore entry using an alias

[root@linuxp ~]#keytool -list -v -keystore keystore.jks -alias linuxpcfix.com

Other userful Java Keytool Commands
• Delete and Remove a certificate from a Java Keytool keystore

[root@linuxp ~]#keytool -delete -alias linuxpcfix.com -keystore keystore.jks

How to Change a Java keystore password

[root@linuxp ~]#keytool -storepasswd -new new_storepass -keystore keystore.jks

To Export or download a certificate from a keystore

[root@linuxp ~]#keytool -export -alias linuxpcfix.com -file linuxpcfix.com.crt -keystore keystore.jks

To get list Trusted CA Certs

[root@linuxp ~]#keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

To fetch New CA into Trusted Certs

[root@linuxp ~]#keytool -import -trustcacerts -file /path/to/ca/ca.pem -alias CA_ALIAS -keystore $JAVA_HOME/jre/lib/security/cacerts

If you still not installed on your system then you can visit to our article Install Tomcat server on RHEL, Centos or Ubuntu, Debian Systems.


I am founder and webmaster of www.linuxpcfix.com and working as a Sr. Linux Administrator (Expertise on Linux/Unix & Cloud Server) and have been in the industry from last 7 years.

Leave a Reply

Your email address will not be published.


Time limit is exhausted. Please reload the CAPTCHA.

Categorized Tag Cloud