Install an SSL Certificate on a Tomcat or Java-based Web Server

This how-to illustrates how to install SSL certificates on a Tomcat or other Java-based server with keytool, a command-line tool for managing keys and certificates in a Java KeyStore.

Root and Intermediate Certificates

Proper functioning of a server certificate depends on the successful installation of intermediate and root certificates. The complete certificate chain typically includes 4 files (the older USERTRUST roots also use 4 files): roots

Certificate Files
CERTUM_TRUSTED_NETWORK_CA.crt Root 1 Certificate
SSL_COM_RSA_SSL_SUBCA.crt Intermediate Certificate
your_domain_here.crt Signed Server Certificate


Certificate Files
AAACertificateServices.crt Root Certificate
USERTrustRSAAAACA.crt Intermediate Certificate 1
SSLcomDVCA_2.crt Intermediate Certificate 2
your_domain_here.crt Signed Server Certificate


Certificate Installation with Keytool

Note: In the commands shown below, you’ll need to replace the example keystore name domain.key with your keystore name.

Use the keytool command to import the root certificate(s) as follows (use the clickable tabs to select between instructions for roots and USERTRUST roots: RootsUSERTRUST Roots

Use the keytool command to import the Certum root certificate as follows:

keytool -import -trustcacerts -alias root1 -file CERTUM_TRUSTED_NETWORK_CA.crt -keystore domain.key

Use the same process for the root certificate using the keytool command(notice that the alias is slightly different than before):

keytool -import -trustcacerts -alias root2 -file SSL_COM_ROOT_CERTIFICATION_AUTHORITY_RSA.crt -keystore domain.key

Next, you’ll install the intermediate certificate:

keytool -import -trustcacerts -alias INTER -file SSL_COM_RSA_SSL_SUBCA.crt -keystore domain.key

Use the keytool command to import the USERTRUST root certificate as follows:

keytool -import -trustcacerts -alias root -file AAACertificateServices.crt -keystore domain.key

Use the same process for the first intermediate certificate using the keytool command:

keytool -import -trustcacerts -alias INTER1 -file USERTrustRSAAAACA.crt -keystore domain.key

Next, you’ll install the second intermediate certificate (notice that the alias is slightly different than before):

keytool -import -trustcacerts -alias INTER2 -file SSLcomDVCA_2.crt -keystore domain.key

Use the same process for the site certificate using the keytool command.  The alias for this certificate should match the alias that you used when creating the CSR.

keytool -import -trustcacerts -alias yyy (where yyy is the alias specified during CSR creation) -file domain.crt -keystore domain.key

The password is then requested:
Enter keystore password: (This is the one used during CSR creation)

The following information will be displayed about the ssl certificate and you will be asked if you want to trust it (the default is no so type ‘y’ or ‘yes’):

Owner: CN= Root, O=Root, C=US
Issuer: CN=Root, O=Root, C=US
Serial number: 111111111111
Valid from: Fri JAN 01 23:01:00 GMT 1990 until: Thu JAN 01 23:59:00 GMT 2050
Certificate fingerprints:
MD5: D1:E7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
SHA1: B6:GE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64
Trust this certificate? [no]:

Then an information message will display as follows:

Certificate was added to keystore

All the certificates are now loaded and the correct root certificate will be presented.

Thank you for choosing! If you have any questions, please contact us by email at, call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page.



Subscribe To’s Newsletter

Don’t miss new articles and updates from

Stay Informed and Secure is a global leader in cybersecurity, PKI and digital certificates. Sign up to receive the latest industry news, tips, and product announcements from

We’d love your feedback

Take our survey and let us know your thoughts on your recent purchase.