In order to install SSL certificate on TomEE or Tomcat it is essential that you import a key pair to the Java key store instead of just the certificate.

The process for doing it over a UI using the Keystore Explorer (open source GUI replacement for the Java command-line utilities keytool and jarsigner) follow below steps:

• Open Keystore Explorer and make a new Java key store for the SSL certificate installation. If you have to update the SSL certificate, open the pre-existing Java Key Store. Location for which can be found in the SSL connector tag of server.xml file of TommEE or Tomcat present in the conf folder.


• The default password of JKS is "changeit". Once you are into the JKS, import a keypair which consists both the private key and the public key. The private key is the .key file and the public key is the certificate file.


• Importing keypair gives options and based on the type of key, relevant key pair type should be imported. If the private key is unprotected by a password, uncheck the Encrypted Private Key option.


• Once the key pair and the base certificate is imported, edit the certificate chain such that the relevant certificate chain is formed. Editing certificate chain means putting various certificates in the right heirarchy starting with a root certificate on top(last to be added to the chain) and so on.


• Once the certificate chain is correctly formed, give the certificate chain an alias to use in config and save the changes in the Java Key Store and exit KeyStore Explorer.


• Now go to server.xml mentioned earlier and if updated old JKS then update the alias otherwise if made a new JKS store then in the connector tag provide the proper location of the JKS along with the JKS password, if you did not specifically set a password, the default password is changeit. Then provide the proper alias and restart TomEE/Tomcat service to check if the certificate was installed properly.

---