Tomcat currently operates only on
PKCS12 format keystores. The
is Java’s standard “Java KeyStore” format, and is the format created by the
keytool command-line utility. This tool is included in the JDK.
PKCS12 format is an internet standard, and can be manipulated
via (among other things) OpenSSL and Microsoft’s Key-Manager.
Each entry in a keystore is identified by an alias string. Whilst many
keystore implementations treat aliases in a case insensitive manner, case
sensitive implementations are available. The
for example, requires that aliases are case sensitive. To avoid issues related
to the case sensitivity of aliases, it is not recommended to use aliases that
differ only in case.
To import an existing certificate into a JKS keystore, please read the
documentation (in your JDK documentation package) about
Note that OpenSSL often adds readable comments before the key,
keytooldoes not support that, so remove the OpenSSL comments if
they exist before importing the key using
To import an existing certificate signed by your own CA into a PKCS12
keystore using OpenSSL you would execute a command like:
For more advanced cases, consult the OpenSSL
To create a new keystore from scratch, containing a single self-signed
Certificate, execute the following from a terminal command line:
(The RSA algorithm should be preferred as a secure algorithm, and this
also ensures general compatibility with other servers and components.)
This command will create a new file, in the home directory of the user
under which you run it, named “
.keystore”. To specify a
different location or filename, add the
followed by the complete pathname to your keystore file,
keytool command shown above. You will also need to
reflect this new location in the
server.xml configuration file,
as described later. For example:
After executing this command, you will first be prompted for the keystore
password. The default password used by Tomcat is “
(all lower case), although you can specify a custom password if you like.
You will also need to specify the custom password in the
server.xml configuration file, as described later.
Next, you will be prompted for general information about this Certificate,
such as company, contact name, and so on. This information will be displayed
to users who attempt to access a secure page in your application, so make
sure that the information provided here matches what they will expect.
Finally, you will be prompted for the key password, which is the
password specifically for this Certificate (as opposed to any other
Certificates stored in the same keystore file). You MUST
use the same password here as was used for the keystore password itself.
keytool prompt will tell you that pressing the
ENTER key does this for you automatically.)
If everything was successful, you now have a keystore file with a
Certificate that can be used by your server.
Note: your private key password and keystore password
should be the same. If they differ, you will get an error along the lines
java.io.IOException: Cannot recover key, as documented in
Bugzilla issue 38217,
which contains further references for this issue.