Ask a Question

Installation instructions for Tomcat using PKCS#7 format

Solution

This document was created to assist with the installation of an SSL certificate in Tomcat.  If this document can not be used within the environment, RapidSSL recommends contacting an organization that supports Tomcat.
 

Select the correct installation instructions based on the following certificate criteria below:

RapidSSL Security Center
Certificates enrolled on or after November 10, 2017

Partner issued certificates
Certificates enrolled on or after November 10, 2017
 
 

RapidSSL Security Center - Certificates enrolled on or after November 10, 2017

This document provides instructions for installing an SSL certificate on Tomcat using the PKCS#7 formatted certificate.
 
Step 1:  Download the SSL certificate
  1. Download your certificate from the unique secure link we provide your technical contact via order fulfillment email.
  2. The ZIP file you download contain the SSL and Intermediate CA certificate in PKCS#7 file (i.e. ssl_certificate.p7b).
  3. Unzip the files onto the server where you will install the certificate.
     
Step 2: Import the SSL certificate into the keystore
  1. At the command prompt, enter:

    keytool -import -alias your_alias_name -trustcacerts -file ssl_certificate.p7b -keystore your_keystore_filename
Note: The alias name and keystore name in this command must be the same as the alias name and keystore name used during the generation of the private key and certificate signing request (CSR).

For Example:


During the import you might encounter the following error: Error: "java.lang.Exception: Input not an X.509 certificate." To troubleshoot this error, refer to solution.
 
 
Step 3: Confirm contents of the keystore
  1. At the command prompt, enter:

    keytool -list -v -keystore  your_keystore_filename >output_filename

    For Example:

     
  2. View the contents of the keystore.


    Verify the following information:

    The end entity certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  If not, import the certificate into the Private Key alias.

    Note: The Certificate chain length: tells you the keystore was successful in establishing the certificate chain, and your keystore is ready for use.

 

Step 4: Configure Tomcat Server

Once the certificates are imported into the keystore, configure your server.xml to enable SSL. Refer to solution SO16068.

 

Step 5: Verify certificate installation

  1. To verify if your certificate is installed correctly, use the RapidSSL Certificate Installation Checker.
 

 
 

Step 1: Download SSL certificate from User Portal

To download a RapidSSL Certificate from the User Portal, perform the steps bellow:

  1. Visit the RapidSSL User Portal
  2. Provide the Common Name or Order Number, Technical Contact Email Address associated with the certificate order and the Image Number generated from the GeoTrust User Authentication page. 

    Note:  If access is requested using the Common Name there will be a list of order numbers for that domain.  Please select the most recent order.  Any previous orders that are listed can not be used to download the certificate.  If access is requested with an Order Number, an email will be sent to access that order.
     
  3. Select Request Access against the correct order ID.
  4. An email will be sent to the Technical Contact email address specified.
  5. Click on the link listed in the email to enter the User Portal
  6. Click View Certificate Information.
  7. Select the PKCS#7 format from the drop down menu.

 

Step 2: Import the SSL certificate into the keystore
  1. At the command prompt, enter:

    keytool -import -alias your_alias_name -trustcacerts -file ssl_certificate.p7b -keystore your_keystore_filename
Note: The alias name and keystore name in this command must be the same as the alias name and keystore name used during the generation of the private key and certificate signing request (CSR).

For Example:


During the import you might encounter the following error: Error: "java.lang.Exception: Input not an X.509 certificate." To troubleshoot this error, refer to solution.
 
 
Step 3: Confirm contents of the keystore
  1. At the command prompt, enter:

    keytool -list -v -keystore  your_keystore_filename >output_filename

    For Example:

     
  2. View the contents of the keystore.


    Verify the following information:

    The end entity certificate is imported into the alias with the "Entry Type" of PrivateKeyEntry or KeyEntry.  If not, import the certificate into the Private Key alias.

    Note: The Certificate chain length: tells you the keystore was successful in establishing the certificate chain, and your keystore is ready for use.

 

Step 4: Configure Tomcat Server

Once the certificates are imported into the keystore, configure your server.xml to enable SSL. Refer to solution SO16068.

 

Step 5: Verify certificate installation

  1. To verify if your certificate is installed correctly, use the RapidSSL Certificate Installation Checker.
 


Tomcat 

For more information, see Tomcat Support website.