Create a Certificate Signing Request in Tomcat

These instructions will show you how to create a Certificate Signing Request (“CSR”) in Tomcat using the keytool command.

Tomcat’s “keystore” is a file to hold security-related items like keys and certificates. Tomcat uses Java’s.jks (“Java KeyStore”) format for keystore files. This process requires a new keystore and will fail if an older keystore is used.

Please backup and delete any previous keystores before following the steps below.
The keytool command will allow you to create and work with your new keystore. (If the command is not recognized, then you will need to add the java /bin/ directory to your system PATH.)

Create your new keystore

  1. The command to create your new keystore will follow this format (replace anything in CAPS with your specific information):keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore YOUR_DOMAIN_NAME.jks
  2. Next, you will be asked to enter a password for the keystore. Be sure to document the password
  3.  The system will ask for your other account information, including company, contact name and so forth . Please answer all prompts.

    Older versions of Tomcat may request your “first and last name” – please understand that the tool doesn’t really want your name. Instead, it wants the fully qualified domain name of the website to be secured. This is also called the “Common Name” of the certificate.

  4.  When you have completed entering the information, you will be prompted to confirm the entries with a “y” or “yes”. Please do so.
  5.  When confirmation is complete, your keystore file named YOUR_DOMAIN_NAME.jks will be present in your current working directory.

Create the CSR using your keystore

  1. Use the following command format to create the CSR (remember to replace the CAPS with your specific website information):keytool -certreq -alias tomcat -file YOUR_DOMAIN_csr.txt -keystore YOUR_DOMAIN_NAME.jks
  2. Enter the password for your Keystore
  3. Your CSR is now created in the working directory with the name that you entered in the above command. In the sample command, the CSR would be named “YOUR_DOMAIN_csr.txt”.
  4. Copy and paste the full contents of that file into your CSR submission page at