Generating a Certificate Signing Request (CSR) for Jakarta Tomcat

Step 1: Prepare your Tomcat server

If you are not using JDK 1.4 or higher, you must download and install “Java Secure Socket Extensions” JSSE.

You can download JSSE from

Step 2: Generate a Private Key

Use the keytool command to create the private key file:

keytool -genkey -keyalg RSA -keystore yourdomainname.key

The following questions will be asked if not known:

  • Enter keystore password: – Tomcat uses a default password of “changeit”. If you use a different password, you will need to specify a custom password in the server.xml configuration file.
  • What is your first and last name? – Enter the domain name that you want to use your SSL certificate with.
  • What is the name of your organizational unit? – Enter the name of your division, department, or other operational unit of your organization.
  • What is the name of your organization? – Enter the name of your organization.
  • What is the name of your City or Locality? – Enter the name of your city, town, or other locality.
  • What is the name of your State or Province? – Enter the name of the State or Province in which your organization operates. Do not abbreviate.
  • What is the two-letter country code for this unit? – Enter the two-letter country code for your country.

You will then be asked if the information is correct:

Is, OU=Your Oganizational Unit, O=Your Organization, L=Your City, ST=Your State, C=Your Country correct?

When you answer y or yes the password is then requested:

Enter key password for <mykey>

Note: Make a note of this password, <mykey> is the default alias for the certificate

Step 3: Create your Certificate Signing Request

Use the keytool command to create the CSR file:

keytool -certreq -keyalg RSA -keystore yourdomainname.key -file yourdomainname.csr

You will be prompted to enter your password.

If the password is correct then the CSR is created otherwise a password error message will be displayed.

You will not be prompted for the common name, organization, etc. The keytool will use the values that you specify when generating the private key.

You have now two files, the Private Key file named yourdomainname.key and Certificate Signing Request (CSR) file named yourdomainname.csr

Related Posts:

One Responses

Pharme143 September 21, 2009 at 10:28 am

Very nice site!

Comments are closed.