Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Using OpenSSL to Create a Certificate Keystore for Tomcat


If you have a private key, an SSL certificate, and a certificate bundle from a Certificate Authority (CA), you can use OpenSSL to create a certificate keystore that Tomcat can utilize.


The following components are required to create a keystore for Tomcat:

  • OpenSSL
  • Private key with a .key file extension from CA
  • SSL certificate file from CA
  • Certificate bundle from CA


  1. Execute the following command to create a .p12 keystore bundle from the private key, SSL certificate, and certificate bundle:
    openssl pkcs12 -export -in mycert.crt -inkey mykey.key -out mycert.p12 -name tomcat -CAfile myCA.crt -caname root -chain
  2. Enter a password of “changeit” when prompted. Note: If a different password is used, it will need to be specified in the server.xml file.
  3. Once the .p12 keystore bundle is created, move it to the root of the Tomcat directory.
  4. Modify the server.xml file so the connector port includes the following:
  5. Also, update the keystoreFile line of the server.xml file so that it points at the new keystore bundle.
  6. Restart Tomcat. See Starting and Stopping Tomcat for instructions.
  7. Browse to the JSS and verify that the correct certificate is now being used. (For example, in Safari, click the lock button in the upper-right corner of the browser window.)
Like Comment
Order by:
SOLVED Posted: by mazarothit

When you say "move it to the root of the tomcat directory" do you mean /usr/local/jss/tomcat or /usr/local/jss/tomcat/webapps/ROOT ?

SOLVED Posted: by winningham.2

@mazarothit if you are using JSS 9.x, you can do the following steps:
JSS> System Settings> Apache Tomcat Settings> Edit> Change the SSL certificate used for HTTPS> Upload an existing SSL certificate and just upload the p12 keystore you just created.

Afterwards you need to restart Tomcat to actually "set" the cert within the Tomcat Webserver.

Hope that helps.

SOLVED Posted: by bobkrez

This is my first time getting an SSL certificate. I have one now but the certificate has a .cer for the extension. The first line shows a file called mycert.crt. Can I rename my cert to that extension, ie, cert.crt from cert.cer, so I can create the p12?

SOLVED Posted: by ravijangra

@bobkrez - though you can rename the cert file, but you dont need to do that. in case you want to, then refer it properly.

SOLVED Posted: by snovak

There's a GUI for openssl called XCA which may come in handy for some people.

SOLVED Posted: by Gocobachi

I definitely would be interested in using XCA.