Creating a Certificate for Tomcat Server

You can create a certificate signed by your own private key (self-signed certificate) or by a Certificate Authority (CA).

Before You Begin

About This Task

  • For Web Console, perform this task on the Web Console computer.
  • For Compliance Search, perform this task on the Compliance Search computer.
  • If you have an expired certificate, you can create or import a new certificate, and then configure SSL on the Tomcat Server.
  • If you are configuring SSL on the Tomcat Server for Web Console on a CommServe computer where Private Metrics Reporting Server is installed, then you must create a certificate signed by the CA. If you use a self-signed certificate, data will not upload to the Private Metrics Reporting Server.
  • When configuring an ObjectStore for Salesforce, use a CA-signed certificate for the Web Console .
  • When you use a self signed certificate, users might see a warning in the browser indicating that it is not safe to proceed.


  1. From the command prompt, navigate to the directory where the keytool.exe is located (for example, C:\Program Files\Java\java_version\bin).
  2. To create a self-signed certificate, create a file that contains both the private key and certificate:
    1. Execute the following command:

      keytool -genkey -keyalg RSA -alias selfsigned -keystore "C:\mykeystore.jks" -validity 360 -keysize 2048

      Where validity is the number of days before the certificate expires.

      Important: During the creation of the keystore, the command prompts you for two passwords: the keystore password at the beginning of the process and the certificate password at the end. Both passwords must be the same.

    2. When the command prompts you for the certificate password, type the password, and then press the Enter key.

      This command creates the mykeystore.jks file, which contains a private key and the self-signed certificate.

  3. To create a certificate signed by the CA, create a certificate and generate a Certificate Signing Request (CSR):
    1. Run the following command:

      keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks"

      This command will create the mykeystore.jks file containing the key-pair/certificate to be signed.

      During the command execution, you are prompted to provide information regarding your organization. Provide the following parameters:

      Parameter Description
      Alias Alias name used by Tomcat for reference purposes while importing or installing the certificate. The alias can be any simple name used for cross reference.

      After certificate signing is done by certificate authority and returned back to the customer, then you will need to use the same alias to import the certificate, which will be explained later.

      Password The keystore password. We recommended you use a strong password.
      First and Last name The fully qualified domain site name, such as someName.somecompany.com, which has to run using HTTPS. If requesting for a wildcard certificate, the site name can be specified as *.someportal.com.

      If the value given for this parameter does not reflect the starting part of the web site URL for which you are requesting the certificate, then the browser may treat the site as an untrusted. An error or warning message like this would be shown in such cases:

      The security certificate presented by this website was issued for a different website's address.

      Organizational Unit Optional: If applicable, you can specify the DBA (Doing Business As) name.
      Organization Name Full legal name of your organization.

      The organization name must be legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor’s name.

      City / Locality Name of the city (without abbreviation) in which your organization is located.
      State / Province Name of state or province (without abbreviation) where your organization is located.
      Country Code The two letter country code (international organization for standardization format) where your organization is legally registered.
    2. Run the following command to generate a CSR :

      keytool -certreq -keyalg RSA -alias tomcat -file C:\somename.csr -keystore C:\mykeystore.jks

      Parameter Description
      Alias The same alias name used for generating the keystore.
      File The path to the file for CSR creation.
      Keystore The path to the keystore that was recently created.

      Do not change the following parameters: -certreq -keyalg RSA

    3. Upload the CSR to the CA website, indicate the type of Tomcat server, and submit for signing.
    4. Download the Root, Intermediate, and Issued Server/Domain certificates.

      Important: This may be different based on the certificate authority. We recommend that you follow the guidelines provided by the CA.

    5. Import each signed certificate issued by the CA using the following commands:
      • Root Certificate:

        keytool -import -alias root -keystore C:\mykeystore.jks -trustcacerts -file C:\valicert_class2_root.crt

      • Intermediate Certificate:

        keytool -import -alias intermed -keystore C:\mykeystore.jks -trustcacerts -file C:\gd_intermediate.crt

      • Issued Server/Domain Certificate:

        keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt

  4. Close the command line.

What To Do Next