Home » SSL & Security » nsProtect™ Secure SSL » nsProtect™ Secure SSL Topics » Installing SSL Certificate Topics » Installation for Java-based Webservers (e.g. Tomcat) using keytool
Search Support
contact us

Let Us Make it Easy for You. Call 1-877-898-3290 for MyTime Support™. Learn More

Installing SSL Certificate Topics

Article Rating: 2 / 5 Votes: 12

Installation for Java-based Webservers (e.g. Tomcat) using keytool

Installing a Certificate with a Java-based Webserver such as Tomcat, using keytool

You will have received your certificate from us, a file typically named 'your_domain_com.crt' as well as the intermediate certificates UTNAddTrustServer_CA.crt and NetworkSolutions_CA.crt.  The root certificate AddTrustExternalCARoot.crt may also be provided.

You need to copy these files to your server, and then move to the directory where the keystore that was used to generate the CSR is located. Then execute the commands below to install the certificates.

  1. Firstly, import the root certificate (called AddTrustExternalCARoot.crt), with the following command:

keytool -import -trustcacerts -alias root -AddTrustExternalCARoot.crt-keystore my_keystore.jks

Replace the file 'my_keystore.jks' with the filename and path you wish to locate the keystore. Do this in all the commands below as well. 

  1. Next import the intermediate certificate (called UTNAddTrustServer_CA.crt), with the following command:

keytool -import -trustcacerts -alias %%INTERMEDIATE1NAME%% -UTNAddTrustServer_CA.crt-keystore my_keystore.jks

Repeat this command with any other intermediates certificates you received NetworkSolutions_CA.crt. 

  1. Finally, import the site certificate (the file with your domain in the filename), with the following command:

keytool -import -trustcacerts -alias server -file your_domain_com.crt -keystore my_keystore.jks

The 'server' alias should be the same alias name as you used when creating the CSR. For Tomcat servers, this should be 'tomcat'. 

  1. The certificates are all installed in the keystore, and you can configure your software to use that keystore.
    To do this with Apache Tomcat, you can edit the 'server.xml' file.
    Open the file, and search for a line that looks like the below, replacing the parts hightlighted to match your keystore (port, keystoreFile and keypass):

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreFile="/path/to/my_keystore.jks" keypass="mykeystorepassword"/>

Notes:
If you do not enter an alias with the '-alias' command flag when generating the CSR, the default alias will be used, 'mykey'. Use this alias at step 3.

For Tomcat, change the '-alias server' to '-alias tomcat'