Ask a Question

Installing the x.509 version of your SSL certificate in Tomcat


The steps below are for installing a X.509 (.CER, .CRT, .PEM) formatted certificate into a keystore.  If you have a PKCS#7 (.P7S, .P7B) please click here for PKCS#7 installation documentation.

Step 1: Obtain the SSL certificate and intermediate CA certificate

    1.    The RapidSSL certificate download link will be sent by email.

    2.    Download and extract the certificate zip file from the email.

           Note: Click here for steps to download the RapidSSL certificate.

           Please select X.509 as a certificate format.

           If you do not have the intermediate CA certificate, it can be downloaded here.

Step 2: Importing your certificate into the Keystore

It is recommended that you have your keystore, SSL certificate and Keytool.exe in the same folder or you will need to specify the full file path when running the following commands.  To import the Intermediate CA Certificate into the keystore, use the following keytool command:

  1. keytool -import -alias intermediate -trustcacerts -file intermediate.cer -keystore your_keystore.kdb

    To import the SSL certificate into the keystore, use the following keytool command:
  2. keytool -import -alias aliasname -trustcacerts -file sslcert.cer -keystore your_keystore.kdb

    Note: When executing the command to import the SSL certificate, you must specify the actual Alias used when you initially created the keystore. If you are unsure of this, run the following command to see the contents of the keystore:

    keytool -list -v -keystore your_keystore_file

If the installation is successful you will see "Certificate reply was installed in keystore". If the import failed, please search for the error in our Knowledge Base.

Step 3: Configure the Tomcat server

  1. Locate the tomcat configuration file (example Server.xml), the configuration file name can be different depending on your Tomcat version or distribution. The configuration file will need to be updated to reference your keystore file and password.
  2. Open the Server.xml file in a text editor (such as VI or Notepad).
  3. Find the following section of code in the file (try searching for SSL Connector) and remove the comment tags around the connector entry (highlighted in red).
    <-- SSL Connector on Port 8443 -->
          port="8443" minProcessors="5"
          connectionTimeout="60000" debug="0"
           scheme="https" secure="true">
                 clientAuth="false" protocol="TLS"
                 keystoreFile="insert path to the keystore here">
                 keystorePass="insert keystore password here">

  5. Update the text in bold with the full path to each file (example "C:/tomcat/bin/certs/keystore.kdb").
  6. Save the Server.xml file.
  7. Start Tomcat.

Note: By default Tomcat runs SSL over port 8443. Make sure that this port is enabled on the Tomcat server and any firewalls/proxies this server may lie behind.

Verify the installation of the certificate using the RapidSSL CrypoReport.