Appendix: Set up Tomcat server by using a third-party (external) CA

7min
Perform the tasks in the following sections to set up the Tomcat server by using an external CA.
OpenSSL: Create an External CA
1
Generate CA Private Key:
Shell
openssl genrsa -out ext-CA-privatekey.pem 2048
openssl genrsa -out ext-CA-privatekey.pem 2048
﻿
2
Generate a self-signed certificate for CA (by using the previously generated private key):
Shell
openssl req -new -x509 -key ext-CA-privatekey.pem -out ext-CA-cert.pem -days 3650
openssl req -new -x509 -key ext-CA-privatekey.pem -out ext-CA-cert.pem -days 3650
﻿
This generates the following files:
The CA private key: ext-CA-privatekey.pem
The CA self-signed cert: ext-CA-cert.pem
3
 Copy the ext-CA-cert.pem file into the directory from which you execute keytool commands.
Java KeyTool: Generate a CSR to an external CA
1
Generate a server key pair and self-signed certificate:
Shell
keytool -genkeypair -keyalg RSA -keysize 2048 -alias tomcatdemo3 -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -genkeypair -keyalg RSA -keysize 2048 -alias tomcatdemo3 -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
When prompted, enter the following information for the server certificate you want to generate and enter a new KeyStore password, which all subsequent keytool and jarsigner commands use: 
Text
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
What is your first and last name?
[Unknown]: www.example.com

What is the name of your organizational unit?
[Unknown]: Engineering

What is the name of your organization?
[Unknown]: Futurex

What is the name of your City or Locality?
[Unknown]: Bulverde

What is the name of your State or Province?
[Unknown]: TX

What is the two-letter country code for this unit?
[Unknown]: US

Is CN=www.example.com, OU=Engineering, O=Futurex, L=Bulverde, ST=TX, C=US correct?
[no]: yes
﻿
Java KeyTool: Generate and export a CSR
1
Generate and export the CSR:
JS
keytool -certreq -alias tomcatdemo3 -file tomcatserver.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -certreq -alias tomcatdemo3 -file tomcatserver.csr -keystore NONE -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
Send the CSR to the external CA previously created in OpenSSL, either third-party or internal, to get it signed. 
The CA returns a signed server certificate and a root CA certificate.
4
Copy the tomcatserver.csr file in the directory from which you execute openssl commands.
OpenSSL: Sign the Tomcat server CSR
1
Sign the CSR and generate the signed Tomcat server certificate:
Shell
openssl x509 -req -days 3650 -in tomcatserver.csr -CA ext-CA-cert.pem -CAkey ext-CA-privatekey.pem -CAcreateserial -out ssl-Tomcatserver-cert.pem
openssl x509 -req -days 3650 -in tomcatserver.csr -CA ext-CA-cert.pem -CAkey ext-CA-privatekey.pem -CAcreateserial -out ssl-Tomcatserver-cert.pem
﻿
This generates the signed Tomcat server cert: ssl-tomcatserver-cert.pem
2
Copy the ssl-tomcatserver-cert.pem file into the directory from which you execute keytool commands.
Java KeyTool: Import the CA root certificate
1
Run the following command to import the CA root certificate:
Shell
keytool -import -trustcacerts -alias tomcatdemo_ext_ca1 -keystore NONE -file ext-CA-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -import -trustcacerts -alias tomcatdemo_ext_ca1 -keystore NONE -file ext-CA-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
3
When prompted to trust the certificate, enter yes, as shown in the following example:
Shell
Trust this certificate?
[no]: yes
Trust this certificate?
[no]: yes
﻿
If the command succeeds, you see output similar to the following:
Shell
Certificate was added to keystore.
Certificate was added to keystore.
﻿
Java KeyTool: Import the signed server certificate
1
To import the signed server certificate, run the following command:
Shell
keytool -importcert -alias tomcatdemo3 -keystore NONE -file ssl-Tomcatserver-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
keytool -importcert -alias tomcatdemo3 -keystore NONE -file ssl-Tomcatserver-cert.pem -storetype PKCS11 -providerclass sun.security.pkcs11.SunPKCS11 -providerName SunPKCS11-Futurex
﻿
2
Enter the KeyStore password.
If the command succeeds, you should see an output similar to the following:
Shell
Certificate reply was installed in keystore
Certificate reply was installed in keystore
﻿
Test Apache Tomcat
1
Go to the apache\conf\server.xml file and change KeyAlias to the alias user in the preceding step.
2
Start up Apache Server and go to apache\conf\bin\startup.
3
Open a web browser and go to https://localhost:8443.
The connection should show the certificate information. 
The subject and issuer are different because this is not a self-signed certificate.
﻿
Updated 19 Sep 2024
Did this page help you?
Configure Tomcat and test the server