Alibaba Cloud SSL Certificates Service allows you to download and install a certificate on a Tomcat server. Tomcat servers support two types of certificates: PFX certificates and JKS certificates. You can download a PFX certificate or a JKS certificate based on your Tomcat version. This topic describes how to download and install a JKS certificate on a Tomcat server.


  • You are logged on to your Tomcat server.
  • Port 443 is enabled for your Tomcat server. Port 443 is the default port for HTTPS services.
  • The OpenSSL tool is installed.
  • The certificate that you want to install on your Tomcat server is downloaded to your computer. For more information about how to download a certificate, see Download a certificate to your computer.
    • If you do not set CSR Generation to Automatic when you apply for a certificate, the certificate package that you download does not include the TXT password file. In this case, you must download a CRT certificate for servers of the Other type and then use the OpenSSL tool to convert the certificate to the PFX format.
    • If you have certificates that are not in the PFX format, you can use the OpenSSL tool to convert your certificates to the PFX format.

Background information

This topic provides an example on how to install a JKS certificate on a Tomcat 7 server that runs a Linux operating system.


  1. Decompress the downloaded certificate package.
    The following files are obtained:
    • Certificate file: domain name.pfx
      Note In this example, the certificate name is domain name.
    • Password file: pfx-password.txt.
    Certificate file
    Note A new password is generated each time you download a certificate. The password is valid only for the downloaded certificate. If you want to update a certificate, you must also update the password.
  2. Convert the certificate format from PFX to JKS.
    1. Enter the following JDK command:
      keytool -importkeystore -srckeystore domain name.pfx -destkeystore domain name.jks -srcstoretype PKCS12 -deststoretype JKS
      Note In Windows operating systems, you must run the preceding command in the %JAVA_HOME%/jdk/bin directory.
    2. Press Enter and enter the password of the PFX certificate. The password is included in the pfx-password.txt file.
      Note The password of the JKS certificate is the same as the password of the PFX certificate. If the two passwords are different, the Tomcat server fails to restart.
  3. Create the cert directory in the installation directory of Tomcat and copy the JKS certificate file and password file to the cert directory.
  4. Modify and save the configuration file server.xml.
    The configuration file is stored in Tomcat installation directory/conf/server.xml.
    1. Remove comments that are added for the following content:
      <Connector  port="8443"
        port="8443" SSLEnabled="true"
        maxThreads="150" scheme="https" secure="true"
        clientAuth="false" sslProtocol="TLS" />
    2. Modify <Connector port="443" based on the following code:
      <Connector port="443"   # Change the port based on your business requirements. Port 443 is the default port for HTTPS services. If you use a different port, you must access your website by using https://yourdomain:port. 
          keystoreFile="Tomcat installation directory/cert/domain name.jks" # Add the absolute path of the certificate before the certificate name. Replace domain name with the name of your certificate file. 
          keystorePass="Certificate password"  # Enter the content in the pfx-password.txt file. 
  5. Optional:Configure the web.xml file to redirect HTTP requests to HTTPS requests.
    Append the following content to the </welcome-file-list> file:
        <!-- Authorization setting for SSL -->  
        <realm-name>Client Cert Users-only Area</realm-name>  
        <!-- Authorization setting for SSL -->  
        <web-resource-collection >  
            <web-resource-name >SSL</web-resource-name>  
  6. Restart your Tomcat server.
    1. Run the following command to stop your Tomcat server:
    2. Run the following command to start your Tomcat server:

What to do next

After you complete the preceding operations, you can access the domain name that is bound to the certificate to check whether the certificate is installed.
https://domain name   # Replace domain name with the domain name that is bound to the certificate. 

If a lock icon appears in the address bar, the certificate is installed.

If your website cannot be accessed over HTTPS, check whether port 443 is enabled for your Tomcat server.