How to Generate Certificate Signing Requests on Tomcat?
A Certificate Signing Request (CSR) is basically an encoded block of information that can include FQDN/domain information and Company/Org name. You will need this document when you request an SSL/TLS Certificate from a Certificate Authority (CA). If you are using Apache Tomcat, you can create your CSR using Java Keystores with the keytool command.
The following guide will show you how to create a new keystore (if you don’t have one), generate a private key, generate a CSR with SANs, and prepare the CSR for issuance of an SSL Certificate.
Prerequisites
Before you start, make sure you have the following:
- Java JDK or JRE installed
- The keytool utility is found in your system path
- You are an admin on the Tomcat server
- You know the FQDN you will use for the SSL Certificate (exactly, e.g. www.yoursite.com)
Steps to Generate a CSR on Tomcat Server
Step 1: Create the Keystore and Private Key
Run this in a terminal and (replace hostnames/paths as needed):
keytool -genkeypair \
-alias tomcat \
-keyalg RSA -keysize 2048 \
-keystore yourdomain.p12 -storetype PKCS1
You’ll be prompted to create a keystore password and a key password (can be the same).
Step 2: Enter your Organization Details (DN)
Keytool will prompt for the Distinguished Name (DN) used by your CSR:
- C (Country): two-letter code (e.g., US)
- ST (State/Province): full name (e.g., California)
- L (Locality/City): e.g., San Jose
- O (Organization): legal company name (e.g., Your Company LLC)
- OU (Organization Unit): deprecated field; leave blank
- CN (Common Name): exact hostname (FQDN) you’re securing, or a wildcard like *.yourdomain.com
Note: keytool labels CN as “What is your first and last name?” — enter the FQDN, not a person’s name.
Step 3: Create the CSR Code
Modern clients validate SAN (Subject Alternative Name), not CN alone. Request SANs directly in the CSR:
keytool -certreq \
-alias tomcat \
-keystore example.p12 \
-file yourdomain.csr \
-ext SAN=DNS:yourdomain.com,DNS:www.yourdomain.com
Step 4: Submit the CSR
Your CSR code has been created. It is found in the yourdomain.csr file. You can open it in any text editor you prefer, and then copy and paste the full content of it during your order for purchase. To ensure you do not leave off a line, use the Ctrl + A hotkey to select the full text.
Next Step: How to Install an SSL Certificate in Tomcat?
Conclusion
Creating a CSR with Apache Tomcat is the first step to securing your Java applications with an SSL/ TLS certificate.
You will create a keystore, create a private key, and enter the appropriate domain name along with the SAN details in the CSR to ensure that your SSL certificate will be issued without problems when you purchase and install the SSL certificate.
With low prices on SSL certificates, purchase today! If you require assistance with CSR creation, SSL installation, configuration, or troubleshooting, feel free to contact our support team for assistance.