Using OpenSSL to Create a Certificate Keystore for Tomcat

If you have a private key, an SSL certificate, and a certificate bundle from a Certificate Authority (CA), you can use OpenSSL to create a certificate keystore that Tomcat can utilize.


If you are attempting to issue a Tomcat certificate, see the Enabling SSL on Tomcat with a Public Certificate article.

The following components are required to create a keystore for Tomcat:
  • OpenSSL
  • Private key with a .key file extension from CA
  • SSL certificate file from CA
  • Certificate bundle from CA
  1. Execute the following command to create a .p12 keystore bundle from the private key, SSL certificate, and certificate bundle:
    openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain
  2. Enter a password of changeit when prompted.

    If a different password is used, it will need to be specified in the server.xml file.

  3. Once the .p12 keystore bundle is created, move it to the root of the Tomcat directory.
  4. Modify the server.xml file so the connector port includes the following:
  5. Also, update the keystoreFile line of the server.xml file so that it points at the new keystore bundle.
  6. Restart Tomcat. See Starting and Stopping Tomcat for instructions.
  7. In Jamf Pro verify that the correct certificate is now being used. (For example, in Safari, click the lock button in the upper-right corner of the browser window.)