Generate CSR Tomcat
Follow these instructions to generate a Private Key and CSR.
- Using the java keytool command-line utility, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command:
keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -sigalg SHA256withRSA -keystore mykeystore
Note: The 2048 in the command above is the key bit length. Your key size must be at least 2048 bits
- You will be prompted for a password for the keystore. Tomcat uses a default password of "changeit". Hit enter if you want to keep the default password. If you use a different password, you will need to specify a custom password in the server.xml configuration file.
- You will be prompted for a password for the private key within the keystore. If you press enter at the prompt, the key password is set to the same password as that used for the keystore from the previous step. The key password must be at least 6 characters long.
Note: Make a note of the passwords. If lost they cannot be retrieved.
- You will be asked for several pieces of info which will be used by to create your new SSL certificate. These fields include the Common Name (e.g. mail.example.com, *.example.com), organization, country, key bit length, etc.
The following characters should not be used when typing in your CSR input: < > ~ ! @ # $ % ^ / \ ( ) ? , &
- On some older versions of the keytool utility , the next field that you will be prompted for is
What is your first and last name?
At this prompt, you must specify the Common Name of your website, not your real first and last name. - You will then be prompted for your organizational unit (leave blank), organization, etc.
- Now generate the Certificate Signing Request (CSR) from the private key generated above using the following command:
keytool -certreq -alias tomcat -file yourdomain.csr -keystore mykeystore
This creates a CSR and stores it in a file namedyourdomain.csr
. - Save a copy of your CSR. The CSR will be needed during the online order process. You'll be asked to copy and paste your CSR into a special CSR box.
Below is an example of what your CSR will look like. This is an example only and cannot be used to generate your SSL certificate.-----BEGIN CERTIFICATE REQUEST-----
MIIB3zCCAUgCAQAwgZ4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdHZW9yZ2lhMRAw
DgYDVQQHEwdBdGxhbnRhMREwDwYDVQQKEwhHZW9DZXJ0czEaMBgGA1UECxMRSW5l
cm5ldCBNYXJrZXRpbmcxGTAXBgNVBAMTEHd3dy5nZW9jZXJ0cy5jb20xITAfBgkq
hkiG9w0BCQEWEmFkbWluQGdlb2NlcnRzLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEA5KOi+RnRzBuBQeFYjrwZg1sfT7zr4L8j0Khuoj621x+lGBmFC76c
kGclUIQBmuyp9T9NrNqAjGtEmgdFr6cWLJtgXgi+BaZDLX9BMYF49NuTggNoEUMX
crQRAENHb2YthG2SEcF5p98RNcDPzWOA3a4AMvgkxDlDGYUhbcQhnt0CAwEAAaAA
MA0GCSqGSIb3DQEBBAUAA4GBAIapt6Tw0BTYUwEAX0/oKvaaN/ghErR85jdW7xOD
b1hL0yNfb495A7e/IQyBEP5a/v+QUOtibHS4geiPhH9etAI+DSQmctjbf6dMGJql
gCXGwlsTbjPOSmNT+/X2Uvf1BlplwqAMDghEuFHsjshlypz1NEg94ri2K9N1VrBs
+iAv
-----END CERTIFICATE REQUEST-----
Additional Resources:
Apache Tomcat 6.0 SSL Configuration HOW-TO