Tomcat Keystore

The above entries need to be in the server.xml file to enable TLS mode. See Creating a keystore From Tomcat Webserver Video for instructions on how to create the keystore, sign the request and import the certificate onto the tomcat web server (the video is based on the BMC TrueSight Presentation Server, but is valid for any tomcat web server).

  1. Jan 16, 2020 Configuring tomcat with SSL is three step process. 1) Generating Keystore 2) Updating Connector in server.xml 3) Updating application's web.xml with secured URLs. 1) Generating Keystore. SSL certificates are JKS files. JKS format stands for Java KeyStore, which is a Java-specific keystore format.
  2. The end result is a JKS keystore which can then be used in the Tomcat Connector configuration as the keystore. The above tool will generate the JKS file with default passwords for the key and JKS file itself, these can be changed later using keytool -storepasswd and keytool -keypasswd. Hope this helps for people facing the same issue.
  3. Tomcat is unable to find the keystore path that was added to the server.xml file. The keystore path in the server.xml file has an extraneous space character. The certificate is not.
  4. KeyStore Explorer KeyStore Explorer is an open source GUI replacement for the Java command-line utilities keytool and jarsigner. KeyStore Explorer presents their functionality, and more, via an intuitive graphical user interface.

SSL, or Secure Socket Layer, is a technology which allows web browsers andweb servers to communicate over a secured connection. This means that the databeing sent is encrypted by one side, transmitted, then decrypted by the otherside before processing. This is a two-way process, meaning that both theserver AND the browser encrypt all traffic before sending out data.

Another important aspect of the SSL protocol is Authentication. This meansthat during your initial attempt to communicate with a web server over a secureconnection, that server will present your web browser with a set ofcredentials, in the form of a 'Certificate', as proof the site is who and whatit claims to be. In certain cases, the server may also request a Certificatefrom your web browser, asking for proof that you are who you claimto be. This is known as 'Client Authentication,' although in practice this isused more for business-to-business (B2B) transactions than with individualusers. Most SSL-enabled web servers do not request Client Authentication.

Import the certificate and private key


1. Enter the following command from the terminal:


  • <path/to/cert> is the full path to the location of your certificate.

  • <path/to/key> is the full path to the location of your private key

  • <alias> is the name you wish to use to identify this keystore entry

  • <keystore-name> is the name you wish to use for your new keystore

2. When prompted, enter the passphrase for your key (if you have one)

3. When prompted, provide a password to use for the keystore

Import the root certificates

Note: this step may or may not be necessary for your certificate

1. Change into the jre/bin directory of your Java installation

Tomcat Keystore

2. Enter the following command:


  • <your_keystore_filename> is the full path to the location of your keystore

  • <filename_of_the_chain_certificate> is the full path to your chain certificate

3. When prompted, enter the password for your keystore in order to import the chain certificate

Configure Tomcat's server.xml file

1. Edit the file tomcat/conf/server.xml (found within the Cascade CMS directory)

Tomcat create keystore

2. Uncomment the SSL/TLS HTTP/1.1 Connector and add the following parameters:


Tomcat Keystoretype Jks

  • <alias> is the name you chose to use to identify your keystore entry above

Create Tomcat Keystore

  • <path/to/keystore> is the full path to the location of the keystore you created above

  • <keystore_pass_from_above> is the keystore password you had set above

Tomcat Keystore Alias

NOTE: To prevent issues, we recommend that you avoid using any of the following characters in your keystore password: & < > ' '