Apache Tomcat Generate Csr Example

In Public Key Infrastructure (PKI) systems, a Certificate Signing Request also CSR or certification request is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.

The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some Web browsers.

1. The tools

  • Java JDK 8
  • Tomcat Server 8

2. Introduction

If you want to use HTTPS on your own Tomcat Installation without use an external authority then you need to generate your own certificate signing request, you need to advise your clients that are self signing your application because the most used browsers only recognized a limited amount of authorities, unless you are going to make your own custom browser.
HTTPS also called HTTP over TLS, HTTP over SSL and HTTP Secure is a protocol for secure communication over a computer network which is widely used on the Internet. HTTPS consists of communication over Hypertext Transfer Protocol HTTP within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS, is authentication of the visited website and protection of the privacy and integrity of the exchanged data.

3. Prerequisites

  • JDK installed
  • Tomcat 8 installed and running

4. Generate Certificate keystore

We are going to generate a certificate inside keystore folder in the Tomcat install directory. If the keystore folder doesn’t exist you need to create it.

Create a certificate keystore and private key with the following command:

Keystore on Windows

keytool -genkey -alias tomcat -keyalg RSA -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat

Keystore on Linux

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/keystore/tomcat

5. Certificate questions

You need to answer some questions to create the certificate. We are going to follow these questions using mockup data to show the point:

First you need to enter a Fully Qualified Domain Name:

Fully Qualified Domain Name

What is your first and last name?

The name of your organizational unit, in this case Technology:

Name of your organizational unit

What is the name of your organizational unit?
[Unknown]: Technology

The name of your organization:

Name of your organization

What is the name of your organization?
[Unknown]: Java Code Geeks

The name of your City or Locality, in this case we are using London:

Name of your City or Locality

What is the name of your City or Locality?
[Unknown]: London

The name of your State or Province also in this case we are using London:

Name of your State or Province

What is the name of your State or Province?
[Unknown]: London

The two-letter country code, every country have a two letter country code:

Two-letter country code

What is the two-letter country code for this unit?
[GB]: GB

Finally keytool asks us to review the information and if the information is correct you need to explicit write yes or no. In case you write a negative answer the keytool starts the process again.

Name of your organizational unit

Is, OU=Technology, O=Java Code Geeks, L=London, ST=London, C=GB
[no]: yes 

Now we have our Certificate Signing Request to use with our Tomcat Server and allow SSL connections.

6. Check Certificate keystore

We can check our CSR with the following command:

On Windows

keytool -list -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat

On Linux

keytool -list -keystore /opt/tomcat/keystore/tomcat

7. Use the certificate in Tomcat

Edit the file:

On Windows

C:\Java\Apache Tomcat 8.5.9\conf\server.xml

On Linux


and add an SSL connector.
SSL Conector

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystorePass="changeit" />

Restart tomcat and you are done. Now you can run your Applications under HTTPS in Tomcat.

8. Conclusion

A certificate signing request (CSR) is a message sent to a certificate authority to request the signing of a public key and associated information. Most commonly a CSR will be in a PKCS10 format. The contents of a CSR comprises a public key, as well as a common name, organization, city, state, country, and e-mail. Not all of these fields are required and will vary depending with the assurance level of your certificate. Together these fields make up to be signed certificate sequence.

The CSR is signed by the applicant’s private key. This proves to the CA that the applicant has control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may signs the applicant’s public key so that it can be publicly trusted.

Jesus Boadas

I'm a self taught programmer, I began programming back in 1991 using an IBM A10 mainframe with Pascal an Assembler IBM 360/70 emulator and Turbo C on a X86 PC, since that I work for the banking industry with emerging technologies like Fox Pro, Visual Fox Pro, Visual Basic, Visual C++, Borland C++, lately I moved out to the Airline industry, leading designing and programming in-house web applications with Flex, Actionscript, PHP, Python and Rails and in the last 7 years I focused all my work in Java, working on Linux servers using GlassFish, TomCat, Apache and MySql.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Back to top button