To generate a CSR and Private Key for Tomcat, perform the following steps:

Using the Java JDK Tool (Recommended JDK 1.4 or higher) , Keytool:  Go into the JDK/bin/ directory (/j2sdk1.4.0/bin/)


Using the java keytool command line utility, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command:

keytool -genkey -keysize 2048 -keyalg RSA -alias [Alias name] -keystore [Keystore Name]

Enter keystore password:  Choose a password and enter it when prompted to do so.

What is your first and last name?
[Unknown]: (example)

What is the name of your organizational unit?
[Unknown]:  Thawte testing (example)

What is the name of your organization?
[Unknown]:  Thawte Testing (example)

What is the name of your City or Locality?
[Unknown]:  Cape Town (example)

What is the name of your State or Province?
[Unknown]:  Western Province (example)

What is the two-letter country code for this unit?
[Unknown]:  ZA (example)

Is, OU=Thawte testing, O=Thawte Testing, L=Cape Town, ST=Western Province, C=ZA correct?
[no]:  yes

Enter key password for <tomcat>

(RETURN if same as keystore password)

NOTE: Please specify the same password for the keystore and the keyentry or else you will receive the following error message when you restart the jakarta engine: “ Cannot recover key”

Note, that a keystore was created.

Please run: keytool -list -keystore [keystorename] to make sure you can read the keystore file.

The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.


Backup Keystore file:  To backup the keystore file with the keyentry just created, please refer to the following solution: SO1870


Generate a CSR off the newly create keystore and keyentry:
keytool -certreq -alias tomcat -keyalg RSA -file certreq.csr -keystore [keystorename]

Enter keystore password (from Step 1).

The CSR will be saved to your JDK/bin directory:





Submit the CSR in our online Certificate enrollment process and fax the necessary documentation to your Thawte Representative.


Thawte has made efforts to ensure the accuracy and completeness of the information in this document. However, Thawte makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. Thawte assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, Thawte assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Thawte reserves the right to make changes to any information herein without further notice.