Use the DigiCert Certificate Utility to create a CSR and prepare your certificate for installation on your Tomcat server
These instructions explain how to use the DigiCert® Certificate Utility for Windows and Tomcat service to create your CSR, prepare your SSL/TLS certificate file, and to configure your Tomcat server to use the certificate.
DigiCert® Certificate Utility for Windows
For a simpler way to create your Certificate Signing Request (CSR) and install and manage your SSL/TLS certificates, we recommend that you use the DigiCert Certificate Utility. For more information about our utility, see DigiCert® Certificate Utility for Windows.
Restart Note: After you've installed your SSL/TLS certificate and configured the server to use it, you must restart the Tomcat service.
For a simpler way to create your CSRs (Certificate Signing Requests) and install and manage your SSL Certificates, we recommend that you use the DigiCert® Certificate Utility for Windows. For more information about our utility, see DigiCert® Certificate Utility for Windows.
-
To create your certificate signing request (CSR), see Tomcat Server: Create Your CSR with the DigiCert Utility.
-
To install your SSL Certificate, see Tomcat Server: Install Your SSL Certificate.
If you don't have access to a Windows computer, prefer not to use the DigiCert Utility, or for some reason cannot use the utility, see Tomcat: Create CSR & Install SSL Certificate with Keytool.
I. Tomcat Server: Create Your CSR with the DigiCert Utility
The DigiCert® Certificate Utility for Windows streamlines the CSR creation process. With our utility, you can generate the CSR with one click.
-
On a Windows computer, download and save the DigiCert Certificate Utility for Windows zip file (DigiCertUtil.zip).
-
Extract the DigiCertUtil.exe from the zip file and then run the DigiCert Certificate Utility for Windows© (double-click DigiCertUtil.exe).
-
In the DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then click Create CSR.
-
On the Create CSR page, provide the following information below and then click Generate.
Certificate Type: Select SSL. Common name: The fully-qualified domain name (FQDN) (e.g., www.example.com). Subject Alternative Names: Are you requesting a Multi-Domain SSL Certificate? Then enter the SANs you want to include on the certificate (e.g., www.example.com, www.example2.com, and www.example3.net). Organization: Type your company's legally registered name (e.g., YourCompany, Inc.). Department: You can leave this box blank; you are not required to specify a department.
Do you want to specify a department? Then type the name of the department in your organization you want to associate the certificate with (e.g., Web Security).City: Type city where your company is located. State: Use the drop-down list to select the state where your company is located. Country: In the drop-down list, select the country where your company is legally located. Key Size: In the drop-down list, select 2048 (unless you have a specific reason for using a large bit length). -
In DigiCert Certificate Utility for Windows© - Create CSR window, complete one of following options:
Copy CSR This option copies the certificate contents to the clipboard. Use this option if you are ready to paste the CSR into the DigiCert order form.
Note: The DigiCert Certificate Utility does not store CSRs. Therefore, we recommend pasting the CSR into a text editor (such as Notepad) when using this option. If you close the CSR page and accidentally overwrite the clipboard contents without doing this, you will need to generate a new CSR.Save to File This option saves the CSR as a .txt file. -
When you're ready to order your SSL/TLS certificate, paste your CSR, including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST----- tags, into the DigiCert order form.
Note: Make sure that when you Select Server Software, you select Tomcat.
-
After you receive your SSL/TLS certificate from DigiCert, you can use the DigiCert Certificate Utility to help you install it on your Tomcat server.
II. Tomcat Server: Install Your SSL/TLS Certificate
After DigiCert validates your order and issues your SSL/TLS certificate, you can use the DigiCert® Certificate Utility for Windows, to prepare the certificate file for installation on your Tomcat server.
Note: If you have not created your CSR with the DigiCert Certificate Utility and ordered your SSL/TLS certificate, see Tomcat Server: Create Your CSR with the DigiCert Utility.
To install SSL/TLS certificate on your Tomcat server, complete the steps below.
-
Use the DigiCert Certificate Utility to import your SSL/TLS certificate to your Windows computer.
-
Use the DigiCert Certificate Utility to export the SSL/TLS certificate in a .PFX format.
-
Configure an SSL Connector on your Tomcat server.
Step 1: Import Your SSL/TLS Certificate
After DigiCert issues your SSL/TLS certificate, use the DigiCert Certificate Utility, to import the file.
-
On the Windows computer where you created the CSR, run the DigiCert Certificate Utility for Windows© (double-click DigiCertUtil.exe).
-
In DigiCert Certificate Utility for Windows©, click SSL (gold lock) and then click Import.
-
In the Certificate Import window, under File Name, click Browse and browse to the .p7b certificate file (e.g., your_domain_com.p7b) that DigiCert sent you, click Open, and then click Next.
-
In the Enter a new friendly name or you can accept the default box, type a friendly name for the certificate.
Note: The friendly name is not part of the certificate; it is used to identify the certificate.
We recommend that you add DigiCert and the expiration date to the end of your friendly name, for example: yoursite-digicert-(expiration date). This information helps identify the issuer and expiration date for each certificate. It also helps distinguish multiple certificates with the same domain name.
-
To import the SSL/TLS certificate to your server, click Finish.
You should receive a message that the certificate was successfully imported.
-
You should now see your SSL/TLS certificate in the DigiCert Certificate Utility for Windows©.
You are now ready to export your SSL/TLS ertificate as a .pfx file.
Step 2: Export Your SSL/TLS Certificate in a .PFX Format
After importing your SSL/TLS certificate to your Windows computer, use the DigiCert Certificate Utility to export the certificate as a .pfx file.
-
Run the DigiCert Certificate Utility for Windows© (double-click DigiCertUtil.exe).
-
In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the SSL/TLS certificate you want to export as a .pfx file, and then click Export Certificate.
-
In the Certificate Export wizard, select Yes, export the private key, select pfx file, check Include all certificates in the certification path if possible, and then click Next.
-
In the Password and Confirm Password boxes, create and confirm a password and then click Next.
-
Next, click …, browse for and select the location where you want to save the .pfx file, and then click Save.
-
To export the SSL/TLS certificate with private key, click Finish.
-
After you receive the "Your certificate and key have been successfully exported" message, click OK.
Your SSL/TLS certificate has been exported as a .pfx file.
Step 3: Configure an SSL/TLS Connector in Tomcat
After you have the .pfx file, you are ready to install it on your Tomcat server and configure the server to use the certificate.
-
Copy the .pfx file to your Tomcat server.
-
In your Tomcat installation directory, locate server.xml.
-
Locate (or create) the connector on port 443 and edit it to use your new keystore.
Connector port="443" maxHttpHeaderSize="8192" maxThreads="100" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keystoreFile="your_certificate.pfx" keystorePass="changeIt" keystoreType="PKCS12"/>
Where:
-
keystoreFile is the full path to your pfx file
-
keystorePass is the password you created when exporting the pfx
-
keystoreType MUST be set to "PKCS12"
-
-
Save your changes to server.xml.
-
Restart the Tomcat service.
-
Congratulations! You've successfully installed your SSL/TLS certificate.
Test Your SSL/TLS Certificate Installation
Is your site publicly accessible? Then use our DigiCert® SSL Installation Diagnostic Tool to test your SSL/TLS certificate installation; it detects common installation problems.
Troubleshooting
If you run into certificate errors, try repairing your certificate trust errors using DigiCert® Certificate Utility for Windows. If this does not fix the errors contact support.