1. Create the CSR (below is an example of generating CSR for http://host.name.com - an actual and existing domain):
openssl req -new -newkey rsa:2048 -nodes -out host_name_com.csr
-keyout host_name_com.key -subj "/C=US/ST=Colorado/L=Denver/O=Name.com
2. The command above will produce two files : host_name_com.csr and host_name_com.key. You have to submit the contents of host_name_com.csr to the certificate authority, like, DigiCert, VeriSign, CACert, etc. You may use the URL below to validate your csr:
3. Once the validated certificate has been received, you have to combine the private key and verified certificate into a file as PKCS12 (set password; you may use tomcat's default, 'changeit'):
openssl pkcs12 -export -inkey host_name_com.key
-in host_name_com.crt -out host_name_com.p12
host_name_com.key = key generated along with the csr host_name_com.crt = certificate received from the certificate authority host_name_com.p12 = the new file that will contain the key and the certificate
4. Add the p12 to your keystore, password should be similar to the one used on #3 (or tomcat's default, 'changeit')
keytool -importkeystore -destalias tomcat -destkeystore keystore.jkskeystore.jks = my named keystore, default is ".keystore"
-srckeystore host_name_com.p12 -srcstoretype PKCS12 -alias 1
5. Modify tomcat's server.xml under conf folder:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
keystorePass="changeit" maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
6. Restart the server. And when you access your applications, you should now see the verified certificate on your site.