CSR Generation: Java-based Webservers (e.g. Tomcat) using keytool
Generating a Certificate Signing Request (CSR) for Java-based Webservers such as Tomcat, using keytool
To generate your CSR, log in to the server and open a command prompt or shell, and use the following instructions:
- Generate a new keystore and key with the following command:
keytool -genkey -keyalg RSA -alias server -keystore my_keystore.jks
Replace the file 'my_keystore.jks' with the filename and path you wish to locate the keystore. The alias 'server' can be changed to the site or server name if needed.
For Tomcat, change the '-alias server' to '-alias tomcat'
- You may be prompted for some information:
Enter keystore password:
What is your first and last name?
What is the name of your organizational unit? **This is your Common Name**
What is the name of your organization?
What is the name of your City or Locality?
What is the name of your State or Province?
What is the two-letter country code for this unit?
The 'first and last name' actually means the fully-qualified domain name for your site - e.g. 'www.mydomain.com'.
For wildcard certificates, the Common Name should be in the format: *.mydomain.com
Please take care to remember the password you enter.
- Now generate the CSR using the key and keystore you have just created:
keytool -certreq -alias server -file csr.txt -keystore my_keystore.jks
Ensure that the alias and keystore have the same name and filename as in Step 1.
You will be prompted to enter the password again. If successful, the file 'csr.txt' will be created. Open this file with a text editor and cut and paste the contents into the enrollment form when requested.
If you do not enter an alias with the '-alias' command flag, the default alias will be used, 'mykey'.