How to create csr certificate and finally install digital certificate on tomcat server.

To generate a CSR and Private Key for Tomcat, perform the following steps:

Using the Java JDK Tool (Recommended JDK 1.4 or higher) , Keytool:  Go into the JDK/bin/ directory (/j2sdk1.4.0/bin/)

Using the java keytool command line utility, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command:
keytool -genkey -keysize 2048 -keyalg RSA -alias [Alias name] -keystore [Keystore Name]

Enter keystore password:  Choose a password and enter it when prompted to do so.

What is your first and last name?
[Unknown]: (example)

What is the name of your organizational unit?
[Unknown]:  Thawte testing (example)

What is the name of your organization?
[Unknown]:  Thawte Testing (example)

What is the name of your City or Locality?
[Unknown]:  Cape Town (example)

What is the name of your State or Province?
[Unknown]:  Western Province (example)

What is the two-letter country code for this unit?
[Unknown]:  ZA (example)

Is, OU=Thawte testing, O=Thawte Testing, L=Cape Town, ST=Western Province, C=ZA correct?
[no]:  yes

Enter key password for <tomcat>
(RETURN if same as keystore password)

NOTE: Please specify the same password for the keystore and the keyentry or else you will receive the following error message when you restart the jakarta engine: “ Cannot recover key”

Note, that a keystore was created.

Please run: keytool -list -keystore [keystorename] to make sure you can read the keystore file.

The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.


Backup Keystore file:  To backup the keystore file with the keyentry just created, please refer to the following solution: SO1870


Generate a CSR off the newly create keystore and keyentry:
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore [keystorename]

Enter keystore password (from Step 1).

The CSR will be saved to your JDK/bin directory:





Submit the CSR in online Certificate enrollment process and fax the necessary documentation to your certificate renewer.

Installation of certificate.

Install certificate
Install certificate on Tomcat

Follow the instructions below to install the certificate on a Tomcat Server

Step 1: Download your Thawte certificate in PKCS#7 format

You will receive an email when your certificate is issued.
Retail Clients: Download your certificate in PKCS#7 format as per the instruction on the following solution:

To download your Thawte certificate, perform the following steps:

Access your Thawte account:

For Retail customers – Thawte Certificate Center (TCC):

For SPKI customers – Thawte Certificate Center Enterprise (TCCE):

For Reseller Partners – Thawte Partner Center:  Please visit the following link:

Enter your Username and Password.
Select the certificate from the list of available orders then click on Pick Up Certificate link.
Note: If you have a Code Signing certificate, skip steps 6 and 7. For steps to signing your code please view : AR1119
From the  Format drop down box select the certificate format that is required. For help on which format to select, please refer to solution SO799
Click on the Copy button to highlight certificate then right click and select copy or keyboard shortcut (ctrl+c).

Paste the certificate into a text editor (ex. Notepad or Vi) and save it.
If you downloaded the PKCS#7 version, save the file with a .P7B extension.
If you downloaded the X.509 version, save the file with a .CER extension.

For the installation guide to the most common server types go to: SO1498
Note: If the server software is not listed proceed to follow the installation instructions outlined to you in your server software documentation.

Reseller Clients (bought certificate through a third party): Download your certificate in PKCS#7 format, refer to solution


To download issued Thawte SSL certificate through User Portal, perform the following steps:

Access Thawte User Portal

Provide the common name, technical contact e-mail address associated with the SSL order, and the image number generated from the Thawte User Authentication page.
Select Request Access against the correct order ID.
An e-mail will be sent to the technical contact e-mail address specified above.
Click on the link listed in the e-mail to enter the User Portal.
Click View Certificate Information.
Copy and Paste your Thawte certificate to Notepad and save as a cert.p7b

Step 2: Install the SSL certificate

Import the certificate into the Java keystore using the following keytool command:
keytool -import -alias tomcat -trustcacerts -file cert.p7b  -keystore [keystorename]

Alternate installation instructions if the X.509 certificate is downloaded instead.

Follow Step 1 by downloading an X.509 certificate file format.
Download both Primary and Secondary Intermediate certificate as separate files, refer to article.

Thawte Intermediate and Cross Certificate CAs

Thawte uses Intermediate CAs to enhance the security of SSL and Code Signing certificates. Installing the correct Intermediate CAs or CA bundle for the certificate being used is absolutely essential to ensure that users don’t see certificate errors when visiting a website or running software secured with a Thawte certificate.

The following tables list Thawte products with links to the relevant Intermediate CA certificates and CA bundles. Please read the following notes to determine which you need:

Microsoft IIS : If you obtained your SSL certificate in the PKCS#7 format from your Thawte Certificate Center (TCC) account, downloading and manually installing CA certificates shouldn’t be required. If however you installed your SSL certiifcate from the approval email, please obtain the proper Intermediate CA below and see kb solution SO14996 for installation instructions

Tomcat : Customers that selected these server platforms when enrolling will have received a version of their certificate containing the SSL certificate and all required Intermediate CAs (as a PKCS#7 bundle). Downloading and manually installing CA certificates shouldn’t be required.

Apache and Apache derivatives
Apache HTTPD, other Apache derivatives and many webhosting providers are only able to specify a single CA certificate in the server or host configuration; these customers should download a CA bundle containing the relevant Intermediate and Cross Root CAs.

Other server platforms :
Please consult the server documentation or search our Knowledge Base to determine which format is required. In many cases, separate Intermediate and Cross Root CAs are needed.
Select the Intermediate CAs link based on your certificate product type.  Once you have the SSL certificate, Primary and Secondary Intermediate CA certificate files, begin the import process.
Note: It is imperative the installation of Primary Intermediate CA, Secondary Intermediate CA and SSL certificate on the keystore is followed below.
Import the Primary Intermediate certificate (e.g., use alias: primary)
keytool -import -alias primary -trustcacerts -file primary_intermediate_file_name  -keystore [keystorename]
Import the Secondary Intermediate certificate (e.g., use alias: secondary)
keytool -import -alias secondary -trustcacerts -file secondary_intermediate_file_name  -keystore [keystorename]
Import the SSL certificate (Use the same alias name based on the created keystore and submitted CSR from Thawte)
keytool -import -alias [your_alias_name] -trustcacerts -file X.509_file_name  -keystore [keystorename]

Note:  Tomcat keeps its configuration information in the server.xml file. Configure Tomcat to reference the correct keystore and keystore password as shown in the following solution:

Enable SSL in Tomcat with server.xml

Enable SSL in Tomcat with server.xml
Configuring the SSL Connector in server.xml

To configure the SSL in Tomcat with server.xml follow the instructions below:

1. Shutdown Tomcat, if it is running. Changes to the file <JWSDP_HOME>/conf/server.xml are read by Tomcat when it is started.

2. Open the file <JWSDP_HOME>/conf/server.xml in a text editor.

3. Find the following section of code in the file (try searching for SSL Connector). Remove comment tags around the Connector entry. The comment tags that are to be removed are shown in blue below.

<!– SSL Connector on Port 8443 –>




port=”8443″ minProcessors=”5″




connectionTimeout=”60000″ debug=”0″

scheme=”https” secure=”true”>



clientAuth=”false” protocol=”TLS”

keystoreFile=/”insert path to the keystore here”>

keystorePass=”insert keystore password here”/>



4. Save and close the file.

5. Start Tomcat.

For tomcat 6 please view:

Tomcat runs SSL over port 8443. Make sure that this port is enabled on the Tomcat server and any firewalls/proxies this server may lie behind.

For additional trouble shooting steps regarding “keytool error: java.lang.Exception: Input not an X.509 certificate” refer to solution

Troubleshooting Error: “keytool error: java.lang.Exception: Input not an X.509 certificate”

Error occurs when importing Sun Java™ certificate into the Key store:
keytool error: java.lang.Exception: Input not an X.509 certificate

There are a few causes for this error:
1. The incorrect alias was specified while trying to import the Certificate.

2. The Certificate being imported is improperly formatted.

3. The Certificate is imported into the incorrect keystore.

Please review each of the ‘possible’ causes below and their fixes to troubleshoot this error:

1. The incorrect alias was specified while trying to import the Certificate.

2. The Certificate being imported is improperly formatted.

NOTE: Try add 2 carriage returns at the end of the downloaded certificate file.

3. The Certificate is imported into the incorrect keystore.

If the keystore is lost a new keystore will need to be generated, and the certificate reissued

Courtesy : Thawte