How to create a self signed SSL certificate for use with Tomcat?

If you want to generate an SSL cert for development purposes for use with tomcat, you can do it using this one liner (requires JDK on your machine, so this doesnt use openssl).

keytool -genkey -keyalg RSA -noprompt -alias tomcat -dname "CN=localhost, OU=NA, O=NA, L=NA, S=NA, C=NA" -keystore keystore.jks -validity 9999 -storepass changeme -keypass changeme

This generates a keystore.jks file with a password of changeme using a keyAlias of tomcat that's valid for 9999 days for localhost

In your tomcat/conf/server.xml, you'd need to specify it like so in your <Connector>

    keyAlias="tomcat"
    keystoreFile="/path/to/my/keystore.jks"
    keystorePass="changeme"

Since Tomcat 8

According to the documentation:

NIO and NIO2 SSL configuration attributes have been deprecated in favor of the default SSLHostConfig

This means the values above should now be put as attributes of connector/SSLHostConfig/Certificate with these names:

    certificateKeyAlias="tomcat"
    certificateKeystoreFile="/path/to/my/keystore.jks"
    certificateKeystorePassword="changeme"

To generate self signed SSL Certificate and add to JAVA truststore for using with Tomcat

  1. Run the following command to generate the SSL certificate.

    keytool -genkey -keyalg RSA -alias tomcat -keystore selfsigned.jks -validity 365 -keysize 2048

    • Where, 365 indicate the number of days for which the certificate will be valid.

    • Above command exports the certificate, whose alias is tomcat.

    • selfsigned.jks is the key store file.

  2. Enter a password for the keystore. Note this password as you require this for configuring the server.

By default, the key store password is set to changeit; you can use the Key Tool utility’s -storepasswd option to change it to something more secure.

  1. When prompted for a first name and the last name, enter the domain name of the server. For example, myserver or myserver.mycompany.com

  2. Enter the other details, such as Organizational Unit, Organization, City, State, and Country.

  3. Confirm that the information entered is correct.

  4. When prompted with "Enter key" password for tomcat, press Enter to use the same password as the key store password.

  5. Run this command to verify the contents of the key store.

    keytool -list -v -keystore selfsigned.jks

    • The Key Tool utility’s -list option lists the contents of a specified key store file.

    • The -v option tells the Key Tool utility to display certificate fingerprints in human-readable form.

  6. When prompted, enter the keystore password noted down in Step 2. The basic information about the generated certificate is displayed.

  7. Verify the certificate’s fingerprints. (Verify that the "Owner" and "Issuer" are the same. Also, you should see the information you provided in Step 3 and 4) Do not accept the certificate and install it in your application’s trust store unless the fingerprints match.

  8. Use the Key Tool utility’s -export option to export the certificate from the key store to a separate certificate file, from which you can then import it into your application’s trust store. For example, the following command exports the certificate shown above, whose alias is tomcat, from the key store (selfsigned.jks) to a certificate file named selfsigned.cer:

    keytool -export -keystore selfsigned.jks -storepass <password> -alias tomcat -file selfsigned.cer

    • password is the keystore password, enter the keystore password noted down in Step 2.

    • The Key Tool utility responds with the following output

      Certificate stored in file selfsigned.cer

  9. Verify the contents of the certificate file.

    • You can double-check the contents of the certificate file to make sure it contains the correct certificate.

    • The Key Tool utility’s -printcert option lists the contents of a specified certificate file. For example, the following command lists the certificate file selfsigned.cer that was created in the preceding step:

      keytool -printcert -v -file selfsigned.cer

    • Once again, the -v option tells the Key Tool utility to display the certificate’s fingerprints in human-readable form.

    • Examine the output from the keytool -printcert command to make sure that the certificate is correct.

  10. If you are having expired certificate present in your application's trust store then you have to delete it using following steps, otherwise directly jump to next step number 13 for importing certificate.


To remove SSL Certificate from JAVA truststore and delete it.

  • Run the following command to delete the certificate from the JAVA trust store.

    keytool -delete -noprompt -trustcacerts -alias tomcat -file selfsigned.cer -keystore "$JAVA_HOME/jre/lib/security/cacerts"

  • When prompted, enter the password (by default the password is changeit)

  • Run the following command to confirm whether certificate is deleted from JAVA trust store.

    keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts" | grep tomcat

  • When prompted, enter the password (by default the password is changeit)

  • Run the following command to remove the certificate file from the system.

    rm -f selfsigned.cer

    To remove SSL Certificate from key store and delete it.

  • Run the following command to delete the certificate from key store.

    keytool -delete -noprompt -trustcacerts -alias tomcat -keystore selfsigned.jks

  • The Key Tool utility prompts you for the key store file’s password:

    Enter the keystore password:

  • Run the following command to confirm whether certificate is deleted from key store.

    keytool -list -keystore keytool -list -keystore selfsigned.jks | grep tomcat

  • The Key Tool utility prompts you for the key store file’s password:

    Enter the keystore password:

  • Run the following command to remove the key store file from the system.

    rm -f selfsigned.jks


  1. Import the certificate into your application’s trust store. The Key Tool utility’s -import option installs a certificate from a certificate file in a specified trust store.

    • For example, if your client application’s trust store is kept in the file $JAVA_HOME/jre/lib/security/cacerts, the following command will install the certificate from the file selfsigned.cer created above:

      keytool -import -noprompt -trustcacerts -alias tomcat -file selfsigned.cer -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit

    • The Key Tool utility responds with the below output:

      Certificate was added to keystore

The certificate is now complete and can be used by Apache Tomcat Server.

  1. In tomcat server.xml, look for the Connector tag in the file, add key store file path and its password. Please refer the following configuration.

    <Connector port="8080" protocol="HTTP/1.1"
               redirectPort="443"
               disableUploadTimeout="false"/>
    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
              maxThreads="150" scheme="https" secure="true"
              keystoreFile="selfsigned.jks" keystorePass="<password>"
              clientAuth="false" acceptCount="100"/>