Apache Tomcat Generate Csr Tutorial

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.

In Public Key Infrastructure (PKI) systems, a Certificate Signing Request also CSR or certification request is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate.

The most common format for CSRs is the PKCS #10 specification and another is the Signed Public Key and Challenge SPKAC format generated by some Web browsers.

1. The tools

  • Java JDK 8
  • Tomcat Server 8

2. Introduction

Apache Tomcat SSL Configuration. Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.

If you want to use HTTPS on your own Tomcat Installation without use an external authority then you need to generate your own certificate signing request, you need to advise your clients that are self signing your application because the most used browsers only recognized an limited amount of authorities, unless you are going to make your own custom browser. HTTPS also called HTTP over TLS, HTTP over SSL and HTTP Secure is a protocol for secure communication over a computer network which is widely used on the Internet.

HTTPS consists of communication over Hypertext Transfer Protocol HTTP within a connection encrypted by Transport Layer Security, or its predecessor, Secure Sockets Layer. The main motivation for HTTPS is authentication of the visited website and protection of the privacy and integrity of the exchanged data.

3. Prerequisites

  • JDK installed
  • Tomcat 8 installed and running

4. Generate Certificate Using Keytool

keytool is a key and certificate management utility. It allows users to administer their own public/private key pairs and associated certificates for use in self-authentication, where the user authenticates himself/herself to other users/services or data integrity and authentication services, using digital signatures. It also allows users to cache the public keys in the form of certificates of their communicating peers.

A certificate is a digitally signed statement from one entity person, company, etc, saying that the public key and some other information of some other entity has a particular value.

When data is digitally signed, the signature can be verified to check the data integrity and authenticity. Integrity means that the data has not been modified or tampered with, and authenticity means the data indeed comes from whoever claims to have created and signed it.

We are going to generate a certificate inside keystore folder in the Tomcat install directory. If the keystore folder doesn’t exist you need to create it.

Create a certificate keystore and private key with the following command:

Keystore on Windows

keytool -genkey -alias tomcat -keyalg RSA -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat

Keystore on Linux

keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/tomcat/keystore/tomcat

5. Certificate questions

You need to answer some questions to create the certificate. We are going to follow these questions using mockup data to show the point:

First you need to enter a Fully Qualified Domain Name:

A fully qualified domain name (FQDN) is the complete domain name for a specific computer, or host, on the Internet. The FQDN consists of two parts: the hostname and the domain name. For example, an FQDN for a hypothetical mail server might be

Fully Qualified Domain Name

What is your first and last name?

An organizational unit (OU) is a subdivision within a directory into which you can place users, groups, computers, and other organizational units. You can create organizational units to mirror your organization’s functional or business structure.

The name of your organizational unit, in this case Technology:

Name of your organizational unit

What is the name of your organizational unit?
[Unknown]: Technology

The name of your organization:

Name of your organization

What is the name of your organization?
[Unknown]: Java Code Geeks

The name of your City or Locality, in this case we are using London:

Name of your City or Locality

What is the name of your City or Locality?
[Unknown]: London

The name of your State or Province also in this case we are using London:

Name of your State or Province

What is the name of your State or Province?
[Unknown]: London

The two-letter country code, every country have a two letter country code:

Two-letter country code

What is the two-letter country code for this unit?
[GB]: GB

Finally keytool asks us to review the information and if the information is correct you need to explicit write yes or no, in case you write a negative answer the keytool start the process again.

Name of your organizational unit

Is, OU=Technology, O=Java Code Geeks, L=London, ST=London, C=GB
[no]: yes 

Now we have our Certificate Signing Request to use with our Tomcat Server and allow SSL connections.

6. Check Certificate keystore

We can check our CSR with the following command:

On Windows

keytool -list -keystore C:\Java\apache-tomcat-8.5.9\keystore\tomcat

On Linux

keytool -list -keystore /opt/tomcat/keystore/tomcat

7. Use the certificate in Tomcat

Edit the file:

On Windows

C:\Java\Apache Tomcat 8.5.9\conf\server.xml

On Linux


and add an SSL connector.
SSL Conector

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keystorePass="changeit" />

Restart tomcat and you are done. Now you can run your Applications under HTTPS in Tomcat.

8. Conclusion

A certificate signing request (CSR) is a message sent to a certificate authority to request the signing of a public key and associated information. Most commonly a CSR will be in a PKCS10 format. The contents of a CSR comprises a public key, as well as a common name, organization, city, state, country, and e-mail. Not all of these fields are required and will vary depending with the assurance level of your certificate. Together these fields make up the to be signed certificate sequence.

The CSR is signed by the applicant’s private key; this proves to the CA that the applicant has control of the private key that corresponds to the public key included in the CSR. Once the requested information in a CSR passes a vetting process and domain control is established, the CA may sign the applicant’s public key so that it can be publicly trusted.

Tomcat fully supports the SSL protocol, Secure Socket Layer (SSL) is a protocol that provides security for communications between client and server by implementing encrypted data and certificate-based authentication.

SSL is one of the most common ways of integrating secure communication on the Internet, as it is a mature protocol that is supported by every browser.

Apache Tomcat, can handle sensitive data, and SSL is an easy way to offer your users security.

Jesus Boadas

I'm a self taught programmer, I began programming back in 1991 using an IBM A10 mainframe with Pascal an Assembler IBM 360/70 emulator and Turbo C on a X86 PC, since that I work for the banking industry with emerging technologies like Fox Pro, Visual Fox Pro, Visual Basic, Visual C++, Borland C++, lately I moved out to the Airline industry, leading designing and programming in-house web applications with Flex, Actionscript, PHP, Python and Rails and in the last 7 years I focused all my work in Java, working on Linux servers using GlassFish, TomCat, Apache and MySql.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments
Back to top button