How to Generate a CSR for Tomcat

A key pair must be created for the server in order to generate a CSR. It is important for the key pair and the digital certificate to not be separated. If the password or the public/private key file is lost or amended before the SSL certificate is installed, the SSL certificate will need to be re-issued. In order for the installation to be successful, the private key, CSR, and the digital certificate must all match.

Step 1: Create a Keystone and Private Key
  1. Use the following command to create a certificate keystone and private key.

    Unix: $JAVA_HOME/bin/keytool -genkey -alias -keyalg RSA -keystore -keysize 2048

  2. Create a keystore password. Tomcat uses a default password of changeit. To change the password, you need to create a password in the server.xml configuration file. If you would like to keep the default password, just hit Enter.
  3. This command will instruct for the following X.509 attributes of the certificate:

    a. First and Last name (Common Name (CN)): Enter the domain name of your website. For example,

    b. Organizational Unit (OU): This tab can help identify certificates registered to an organization but it is optional. The OU field is the name of the organization or department making the request.

    c. Organization (O): This is simply the name of your company. If your company has any symbol such as & or @, be sure to spell it out or omit the symbol.

    d. Locality or City (L): This tab is the city of town where your company is primary located.

    e. State or Province (S): Be sure to spell out the name of the State completely. No abbreviations please.

    f. Country Name (C): Use the two-letter code without punctuation for country. For example, US.

    NOTE: SSL certificates can only be used on web servers using the Common Name specified during enrollment. For example, if a certificate has been made for the domain, "", a warning will appear if accessing a site named "" because it is different than the original domain name.

    Press enter when prompted for the password for the private key alias. This will set the private key password to the same password used for the keystore from the previous step.

    Be sure to make note of the private key and the keystore password because they cannot be retrieved once they are set.
Step 2: Generate a CSR
  1. To generate the CSR, run the following command: keytool -certreq -keyalg RSA -alias -file certreq.csr -keystore

  2. Verify your CSR

  3. In case of installation issues that can occur while importing the certificate into the original keystore file, create a copy of the keystore file to help resolve this potential issue.

  4. Open the file in a text editor that does not add extra characters (Notepad and Vi are highly recommended) to copy and paste the file certreq.csr into the enrollment form. Make sure to include the "BEGIN CERTIFICATE REQUEST" and "END CERTIFICATE REQUEST" header and footer.
    The text file should look like this:

    [encoded data]