Entrust Datacard SSL/TLS Certificate Installation Guide

- Industries
- Solutions
  - Our Expertise
  - Strong Identities
  - Secure Payments
  - Protected Data
- Featured Products
  - As a Service Products
- Enterprise ID & Issuance
  - Instant ID as a Service
    Learn More
  - Instant Issuance
- Financial ID & Issuance
  - Digital Card Solution
    Learn More
  - Digital Banking
    1. Digital Account Opening
    2. Digital Card Solution
  - Instant Issuance
  - Central Issuance
- Government ID & Issuance
  - Digital Citizen
    1. Seamless Travel as a Service
    2. ePassport as a Service
  - Instant Issuance
    1. Other citizen IDs and licenses.
    2. System Software
    3. Supplies
    4. Services
  - Central Issuance
    1. Passports, national IDs and driver licenses.
    2. Passport Issuance Systems
    3. National ID and Driver License Systems
    4. Inline Delivery & Insertion
    5. Standalone Delivery & Insertion
    6. System Software
    7. Supplies
    8. Services
  - Identity Verification as a Service
    Our IDVaaS solution allows remote verification of an individual’s claimed identity for immigration, border management, or digital services delivery.
    Learn More
- Cloud Security Posture Management
  - CloudControl 30-Day Free Trial
    Entrust CloudControl offers comprehensive security and automated compliance across virtualization, public cloud, and container platforms while increasing visibility and decreasing risks that can lead to unintended downtime or security exposure.
    Start Free Trial
- Key Management and Encryption
  - KeyControl for VM Encryption
  - KeyControl 30-Day Free Trial
    VMware vSphere and vSAN encryption require an external key manager, and KeyControl is VMware Ready certified and recommended. KeyControl enables enterprises to easily manage all their encryption keys at scale, including how often keys are rotated, and how they are shared securely.
    Start Free Trial
- Hardware Security Modules (HSM)
  - 1. nShield as a Service
  - nShield HSMs
  - Why you need an HSM
    Learn about all the details related to what hardware security modules offer you in security and cost savings...
    Learn More
- Digital Certificates
  - 1. Buy Certificates
    2. Renew Certificates
  - TLS/SSL Certificates
  - Qualified Certificates
    1. QWAC eIDAS Certificates
    2. QWAC PSD2 Certificates
  - Sales and Services
- Identity and Access Management (IAM)
  - Products
    1. Identity as a Service
      Cloud-Based IAM
    2. Identity Enterprise
      On-prem IAM
    3. Identity Essentials
      On-prem MFA solution for Windows users
    4. APIs and SDKs
  - Get Entrust Identity as a Service Free for 60 Days
    Explore the Identity as a Service platform that gives you access to best-in-class MFA, SSO, adaptive risk-based authentication, and a multitude of advanced features that not only keep users secure, but also contribute to an optimal experience.
    Start Free Trial
- Electronic and Digital Signing
  - Digital Signing as a Service
  - Digital Signing Certificates
  - Digital Signing Infrastructure
  - EU Qualified Trust Services
    In addition to our long-standing Adobe Approved Trust List (AATL) membership, we are a European Qualified Trust Service Provider for the issuance of eIDAS qualified certificates for qualified signatures and advanced seals, for PSD2 certificates and for QWACs
    Learn More
- Public Key Infrastructure (PKI)
  - PKI Products
  - Managed Services
  - Cryptographic Center of Excellence
  - Try Post-Quantum PKI as a Service Now
    Get PQ Ready. PKIaaS PQ provides customers with composite and pure quantum Certificate Authority hierarchies.
    Try Now
- Resources
  - Issuance Systems Knowledge Base
    Learn More
  - Digital Security Knowledge Base
    Learn More
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Partners
  - Partner with Entrust
    Join one or more of our partner programs and we’ll help you increase profitability, expand your brand, and target strategic customers.
    Learn More
  - Partner Directory
    Search for partners based on location, offerings, channel or technology.
    Search for a Partner
  - Programs
  - Partner Logins
- Buy
  - Shop Certificate Services
    Shop for new single certificate purchases.
    Learn More
  - Certificate Services Customer Portal
    Existing Entrust Certificate Services customers can login to issue and manage certificates or buy additional services.
    Learn More
  - Certificate Services Partner Portal
    Existing partners can provision new customers and manage inventory.
    Learn More
  - Instant Financial Card Issuance Supplies
    1. Registered Customer Login
    2. Request Access
- About Entrust
  - Securing a World in Motion Since 1969
    We’ve established secure connections across the planet and even into outer space. We’ve enabled reliable debit and credit card purchases with our card printing and issuance technologies. Protected international travel with our border control solutions. Created secure experiences on the internet with our SSL technologies. And safeguarded networks and devices with our suite of authentication products.
    Explore Our History
  - Cybersecurity Institute
    Get critical insights and education on security concepts from our Trust Matters newsletter, explainer videos, and the Cybersecurity Institute Podcast.
    Learn More
- Search Entrust
  - Search:

Purpose: SSL/TLS Certificate Installation Guide
For Tomcat Version 8.5+

Skip to Installation

Need Certificate Signing Request (CSR) help? Tomcat uses Keytool to create a CSR. You can use our Keytool CSR command Builder here to help you get started.

For help using the Keytool CSR command Builder read this article here.

After you have obtained the command to use to create the CSR from the command builder, open your terminal and paste the command. A CSR and private key will be created.

Before you begin...

Tomcat includes a certificate utility called Keytool. All of the steps below will be performed using Java keytool.

Important: In order to install your certificate, you must use the same keystore that was created when you requested the certificate. You must also use the same keystore alias name that was used when the keystore and corresponding private key were generated.

Never share private keys or keystore files.

If you plan on using the same certificate on multiple servers always transfer the private key using a secure method (e-mail is not considered a secure method of transfer).

It is best practice to ensure that you have current and up to date Ciphers and Protocols to ensure the best security when deploying a new Private key and Server Certificate.

Make sure you run the SSL Server Test at the end of the installation process to check your certificate configuration against SSL/TLS Best Practices.
For more information on SSL/TLS Best Practices, click here.

Installing your Entrust SSL/TLS Certificate on a Tomcat Server

1. Click the Download button in the pickup wizard to download your certificate files. Clicking the download button will produce a file named CertificateBundle.pem. This file includes your signed SSL/TLS certificate and the combined certificate chain.

2. Type and run the following command on your Tomcat server – the sections that are underlined in this command are variables based on your keystore file name and the alias name you used to create your keystore and Certificate Signing Request.

Please note: It is recommended that you type the command into your terminal instead of pasting the command.

keytool -import -trustcacerts -alias server -file CertificateBundle.pem -keystore yoursite.jks

You will be prompted to supply your keystore password. You must supply the password to complete the import process.

If a prompt appears asking you if you want to trust the certificate, enter yes.

If the certificate installs correctly, you will see a message in the prompt that states “Certificate reply was installed in keystore”

3. Configure your Tomcat server to use the TLS protocol along with the Java Keystore. To do this, you must edit your Tomcat server.xml file, which is typically located in the conf folder of your Tomcat’s home directory.

Before making any changes, you should save a copy of your original server.xml file in case you run into any issues.

Open the server.xml file in a text editor where you will need to specify your keystore file name, password, and alias. You should see a section that looks like the following:

<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="yourkeystore.jks" keystorePass="your_keystore_password" />

4. Restart your Tomcat Server to complete the certificate installation process.

Your SSL/TLS Certificate should now be installed. If you have any questions or concerns please contact the Entrust Certificate Services Support department for further assistance.

Hours of Operation:
Sunday 8:00 PM ET to Friday 8:00 PM ET
North America (toll free): 1-866-267-9297
Outside North America: 1-613-270-2680 (or see the list below)
NOTE: It is very important that international callers dial the UITF format exactly as indicated. Do not dial an extra "1" before the "800" or your call will not be accepted as an UITF toll free call.

Country	Number
Australia	0011 - 800-3687-7863 1-800-767-513
Austria	00 - 800-3687-7863
Belgium	00 - 800-3687-7863
Denmark	00 - 800-3687-7863
Finland	990 - 800-3687-7863 (Telecom Finland) 00 - 800-3687-7863 (Finnet)
France	00 - 800-3687-7863
Germany	00 - 800-3687-7863
Hong Kong	001 - 800-3687-7863 (Voice) 002 - 800-3687-7863 (Fax)
Ireland	00 - 800-3687-7863
Israel	014 - 800-3687-7863
Italy	00 - 800-3687-7863
Japan	001 - 800-3687-7863 (KDD) 004 - 800-3687-7863 (ITJ) 0061 - 800-3687-7863 (IDC)
Korea	001 - 800-3687-7863 (Korea Telecom) 002 - 800-3687-7863 (Dacom)
Malaysia	00 - 800-3687-7863
Netherlands	00 - 800-3687-7863
New Zealand	00 - 800-3687-7863 0800-4413101
Norway	00 - 800-3687-7863
Singapore	001 - 800-3687-7863
Spain	00 - 800-3687-7863
Sweden	00 - 800-3687-7863 (Telia) 00 - 800-3687-7863 (Tele2)
Switzerland	00 - 800-3687-7863
Taiwan	00 - 800-3687-7863
United Kingdom	00 - 800-3687-7863 0800 121 6078 +44 (0) 118 953 3088