Skip to main content

Certificate Services Support

User-added image
Purpose: SSL/TLS Certificate Installation Guide
For Tomcat Version 8.5+
User-added image
Skip to Installation

Need Certificate Signing Request (CSR) help? Tomcat uses Keytool to create a CSR. You can use our Keytool CSR command Builder here to help you get started.

For help using the Keytool CSR command Builder read this article here.

After you have obtained the command to use to create the CSR from the command builder, open your terminal and paste the command. A CSR and private key will be created.

Before you begin...

  • Tomcat includes a certificate utility called Keytool. All of the steps below will be performed using Java keytool.

  • Important: In order to install your certificate, you must use the same keystore that was created when you requested the certificate.  You must also use the same keystore alias name that was used when the keystore and corresponding private key were generated.  

  • Never share private keys or keystore files. 

  • If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).

  • It is best practice to ensure that you have current and up to date Ciphers and Protocols to ensure the best security when deploying a new Private key and Server Certificate.

  • Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.

  • For more information on SSL/TLS Best Practices, click here.

Installing your Entrust SSL/TLS Certificate on a Tomcat Server

1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a file named CertificateBundle.pem.  This file includes your signed SSL/TLS certificate and the combined certificate chain. 

2. Type and run the following command on your Tomcat server – the sections that are underlined in this command are variables based on your keystore file name and the alias name you used to create your keystore and Certificate Signing Request. 

Please note: It is recommended that you type the command into your terminal instead of pasting the command.

keytool -import -trustcacerts -alias server -file CertificateBundle.pem -keystore yoursite.jks

  • You will be prompted to supply your keystore password. You must supply the password to complete the import process.

  • If a prompt appears asking you if you want to trust the certificate, enter yes.

  • If the certificate installs correctly, you will see a message in the prompt that states “Certificate reply was installed in keystore

3. Configure your Tomcat server to use the TLS protocol along with the Java Keystore.  To do this, you must edit your Tomcat    server.xml file, which is typically located in the conf folder of your Tomcat’s home directory.

Before making any changes, you should save a copy of your original server.xml file in case you run into any issues.

Open the server.xml file in a text editor where you will need to specify your keystore file name, password, and alias.  You should see a section that looks like the following:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="yourkeystore.jks" keystorePass="your_keystore_password" />

4. Restart your Tomcat Server to complete the certificate installation process.

Your SSL/TLS Certificate should now be installed. If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance.

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET 
North America (toll free): 1-866-267-9297 
Outside North America: 1-613-270-2680 (or see the list below) 
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.


Australia0011 - 800-3687-7863
Austria00 - 800-3687-7863
Belgium00 - 800-3687-7863
Denmark00 - 800-3687-7863
Finland990 - 800-3687-7863 (Telecom Finland)
00 - 800-3687-7863 (Finnet)
France00 - 800-3687-7863
Germany00 - 800-3687-7863
Hong Kong001 - 800-3687-7863 (Voice)
002 - 800-3687-7863 (Fax)
Ireland00 - 800-3687-7863
Israel014 - 800-3687-7863
Italy00 - 800-3687-7863
Japan001 - 800-3687-7863 (KDD)
004 - 800-3687-7863 (ITJ)
0061 - 800-3687-7863 (IDC)
Korea001 - 800-3687-7863 (Korea Telecom)
002 - 800-3687-7863 (Dacom)
Malaysia00 - 800-3687-7863
Netherlands00 - 800-3687-7863
New Zealand00 - 800-3687-7863
Norway00 - 800-3687-7863
Singapore001 - 800-3687-7863
Spain00 - 800-3687-7863
Sweden00 - 800-3687-7863 (Telia)
00 - 800-3687-7863 (Tele2)
Switzerland00 - 800-3687-7863
Taiwan00 - 800-3687-7863
United Kingdom00 - 800-3687-7863
0800 121 6078
+44 (0) 118 953 3088
Entrust Enters Exclusive Discussions to Acquire Onfido