How to Generate Certificate Signing Requests on Tomcat?

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...
Create CSR Tomcat Server

A Certificate Signing Request (CSR) is basically an encoded block of information that can include FQDN/domain information and Company/Org name. You will need this document when you request an SSL/TLS Certificate from a Certificate Authority (CA). If you are using Apache Tomcat, you can create your CSR using Java Keystores with the keytool command.

The following guide will show you how to create a new keystore (if you don’t have one), generate a private key, generate a CSR with SANs, and prepare the CSR for issuance of an SSL Certificate.

Prerequisites

Before you start, make sure you have the following:

  • Java JDK or JRE installed
  • The keytool utility is found in your system path
  • You are an admin on the Tomcat server
  • You know the FQDN you will use for the SSL Certificate (exactly, e.g. www.yoursite.com)

Steps to Generate a CSR on Tomcat Server

Step 1: Create the Keystore and Private Key

Run this in a terminal and (replace hostnames/paths as needed):

keytool -genkeypair \
-alias tomcat \
-keyalg RSA -keysize 2048 \
-keystore yourdomain.p12 -storetype PKCS1

You’ll be prompted to create a keystore password and a key password (can be the same).

Step 2: Enter your Organization Details (DN)

Keytool will prompt for the Distinguished Name (DN) used by your CSR:

  • C (Country): two-letter code (e.g., US)
  • ST (State/Province): full name (e.g., California)
  • L (Locality/City): e.g., San Jose
  • O (Organization): legal company name (e.g., Your Company LLC)
  • OU (Organization Unit): deprecated field; leave blank
  • CN (Common Name): exact hostname (FQDN) you’re securing, or a wildcard like *.yourdomain.com

Note: keytool labels CN as “What is your first and last name?” — enter the FQDN, not a person’s name.

Step 3: Create the CSR Code

Modern clients validate SAN (Subject Alternative Name), not CN alone. Request SANs directly in the CSR:

keytool -certreq \
-alias tomcat \
-keystore example.p12 \
-file yourdomain.csr \
-ext SAN=DNS:yourdomain.com,DNS:www.yourdomain.com

Step 4: Submit the CSR

Your CSR code has been created. It is found in the yourdomain.csr file. You can open it in any text editor you prefer, and then copy and paste the full content of it during your order for purchase. To ensure you do not leave off a line, use the Ctrl + A hotkey to select the full text.

Next Step: How to Install an SSL Certificate in Tomcat?

Conclusion

Creating a CSR with Apache Tomcat is the first step to securing your Java applications with an SSL/ TLS certificate.

You will create a keystore, create a private key, and enter the appropriate domain name along with the SAN details in the CSR to ensure that your SSL certificate will be issued without problems when you purchase and install the SSL certificate.

With low prices on SSL certificates, purchase today! If you require assistance with CSR creation, SSL installation, configuration, or troubleshooting, feel free to contact our support team for assistance.

Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast having 7+ years of experience and knowledge about Encryption, Digital Certificates and Online Security, She helps online users to stay safe and protect their online presence. Explore SSL Errors, Installation Guide and Security Tutorials for Safe Browsing and Web Security Experience.