Use Java's Keytool to create a CSR and install your SSL/TLS certificate on your Tomcat (or other Java-based) server
Use these instructions to generate your certificate signing request (CSR) and install your SSL/TLS certificate on your Tomcat server using Java’s Keytool.
Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart the Tomcat service.
- To create your certificate signing request (CSR), see Tomcat Server: Create Your CSR with Java Keytool.
- To install your SSL certificate, see Tomcat Server: Install and Configure Your SSL/TLS Certificate.
To view these instructions in Spanish, see CSR para Tomcat and Tomcat Instalar Certificado SSL.
If you are looking for a simpler way to create CSRs, and install and manage your SSL/TLS certificates, we recommend using the DigiCert® Certificate Utility for Windows. You can use the DigiCert Utility to generate your CSR and prepare your SSL/TLS certificate file for installation on your Tomcat server. See Tomcat: Create CSR & Install SSL/TLS Certificate with the DigiCert Utility.
I. Tomcat Server: Create Your CSR with Java’s Keytool
- If you have your own private key and CA-signed certificate files, you must create keystore files in which to import the certificates and the private keys for both the HTTPS and the console proxy service before importing the keystores in your vCloud Director environment.
- How can I find the private key for my SSL certificate. If you just got an issued SSL certificate and are having a hard time finding the corresponding private key, this article can help you to find that one and only key for your certificate.
Use the instructions in this section to create a new keystore (.jks) file and to generate your CSR.
KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality,. This is the option that tells keytool to generate a public-private key pair.keystore f:tmkeysjohnkeystore In contrast to ssh-keygen (the tool available on Unix-like platforms), which generates separate files for the public key and the private key, keytool stores both keys as a single entry in a file called a keystore. Generate a Self Signed Certificate using Java Keytool Now that you know when to use a Keytool self signed certificate, let's create one using a simple Java Keytool command: Open the command console on whatever operating system you are using and navigate to the directory where keytool.exe is located (usually where the JRE is located, e.g.
Recommended Method: Use the DigiCert Java Keytool CSR Wizard
Save yourself some time: Use the DigiCert Java Keytool CSR Wizard to generate a Keytool command to create your Tomcat keystore and CSR.
- Simply fill out the form, click Generate, and then paste your customized Java Keytool command into your terminal.
- The Java keytool utility creates both your private key and your certificate signing request, and saves them to two files: your_common_name.jks, and your_common_name.csr.
- You can then copy the contents of the CSR file and paste it into the CSR text box in our order form.
- Skip to Step 2, part 3: Save and Back-up Your Keystore File.
Do you prefer a more manual approach to generating your Tomcat keystore and CSR? Follow the instructions below.
Step 1: Use Keytool to Create a New Keystore
Keytool To Generate Private Key Blockchain
Important: We recommend you generate a new keystore following the process outlined in this section. Installing a new certificate to an old keystore often ends in installation errors or the SSL/TLS certificate not working properly. Before you begin this process, backup and remove any old keystores.
- Run Command
- Navigate to the directory where you plan to manage your keystore and SSL/TLS certificate.
- Enter the command below.In the command above, your_site_name should be the name of the domain you want to secure with this SSL/TLS certificate. When ordering a Wildcard certificate, do not include the asterisk (*) in the filename (e.g., your_site_name). The asterisk is not a valid keytool character.
- Create a Password
- When prompted, create a password for your Keystore.Note: You will specify this password in your Tomcat configuration file and then use it to generate your CSR and to import your certificate.
- Store this password somewhere safe, such as a trusted and secured password manager.
- Enter your SSL/TLS certificate information.Important: When prompted for the first and last name, DO NOT type your first and last name. Instead, type the Fully Qualified Domain Name (FQDN) for the site you are securing with this certificate (e.g., www.yourdomain.com, mail.yourdomain.com). Are you are ordering a Wildcard Certificate? Then your FQDN must begin with an asterisk (*). (e.g.,*.yourdomain.com).
- Enter your Organization information.
- When prompted to verify your information, type y or yes to confirm.
- When asked for a 'key password for <server>', press enter to use the password you just created for the keystore file.
- Your keystore file, your_site_name.jks, is now created and in your current working directory.
Keystore Generate Private Key
Step 2: Generate a Certificate Signing Request (CSR) from your New Keystore
- Run Command
- In Keytool, type the following command:In the command above, your_site_name should be the name of the keystore file you created in Step 1: Use Keytool to Create a New Keystore or when using the DigiCert Java Keytool CSR Wizard.
- When prompted, enter the password you created earlier (when you created your new keystore).
- In your current directory, csr.txt (e.g., your_site_domain.txt) now contains your CSR.
- Save and Back-up Your Keystore File
- Take note of the path to your keystore file (your_site_domain.jks) as your SSL/TLS certificate will be installed to it later.
- We recommend that you create a back-up copy of your Keystore file (your_site_domain.jks) before continuing. Having a back-up of the Keystore file can help resolve issues that may occur during certificate SSL/TLS installation.
- Order Your SSL/TLS Certificate
- Open the .csr file you created with a text editor.
- Copy the text, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, and paste it in to the DigiCert order form.
- Make sure that when you Select Server Software, you select Tomcat.
Tomcat SSL/TLS Certificates, Guides, & TutorialsBuy NowLearn More - Install CertificateAfter you’ve received your SSL/TLS certificate from DigiCert, you can install it on your Tomcat server.
Securing your Java application with an SSL certificate can be extremely important. Fortunately, it is (usually) quite simple to do using Java Keytool. Most situations require that you buy a trusted certificate, but there are many cases when you can generate and use a self signed certificate for free.
When to Use a Keytool Self Signed Certificate
An SSL certificate serves two essential purposes: distributing the public key and verifying the identity of the server so users know they aren't sending their information to the wrong server. It can only properly verify the identity of the server when it is signed by a trusted third party. A self signed certificate is a certificate that is signed by itself rather than a trusted authority. Since any attacker can create a self signed certificate and launch a man-in-the-middle attack, a user can't know whether they are sending their encrypted information to the server or an attacker. Because of this, you will almost never want to use a self signed certificate on a public Java server that requires anonymous visitors to connect to your site. However, self signed certificates have their place:
Never use a self signed certificate on an e-commerce site or any site that transfers valuable personal information like credit cards, social security numbers, etc.
- An Intranet. When clients only have to go through a local Intranet to get to the server, there is virtually no chance of a man-in-the-middle attack.
- A Java development server. There is no need to spend extra cash buying a trusted certificate when you are just developing or testing an application.
- Personal sites with few visitors. If you have a small personal site that transfers non-critical information, there is very little incentive for someone to attack the connection.
Just keep in mind that visitors will see a warning in their browsers (like the one below) when connecting to a server that uses a self signed certificate until it is permanently stored in their certificate store.
Generate a Self Signed Certificate using Java Keytool
Now that you know when to use a Keytool self signed certificate, let's create one using a simple Java Keytool command:
![Keytool Keytool](/uploads/1/2/6/4/126427168/828959664.jpg)
- Open the command console on whatever operating system you are using and navigate to the directory where keytool.exe is located (usually where the JRE is located, e.g. c:Program FilesJavajre6bin on Windows machines).
- Run the following command (where validity is the number of days before the certificate will expire):
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
- Fill in the prompts for your organization information. When it asks for your first and last name, enter the domain name of the server that users will be entering to connect to your application (e.g. www.google.com)
This will create a keystore.jks file containing a private key and your sparklingly fresh self signed certificate. Now you just need to configure your Java application to use the .jks file. If you are using Tomcat, you can follow our Tomcat SSL Installation Instructions.
For more information on creating a Java Keytool Self Signed Certificate, see the following links:
Originally posted on Sat Oct 30, 2010
Save
Generate Jks Keystore
Save
Save