3. Create and sign your server certificate

In the following sections we will cover server-certificate creation, signing it with your own CA and import it in a JKS keystore for a use with Tomcat. We will see later that, the way we generated the certificates, we will be able to use them also for an Apache/SSL config.

3.1. Creation of the server certificate

Use the following commands to create your server certificate with openssl:

First we generate the server private key encoded (-des3), and protected with a strong password.

[your_prompt]$ openssl genrsa -des3 -out private/server.key 1024

Then we can create our server certificate signing request (csr). You can send it to an official CA for signing (and pay for that process), but we see here the way to sign it with your own CA.

ImportantServer certificate Common Name (CN)

For a use with browsers, it is very important to specify the server name (www.your-org.xyz) or the netbios name for a local usage.

[your_prompt]$ openssl req -new -key private/server.key -out server.csr

This is the way you can sign your server certificate with your CA:


The first time you use your CA to sign a certificate you can use the -CAcreateserial option. This option will create a file (ca.srl) containing a serial number. You are probably going to create more certificate, and the next time you will have to do that use the -CAserial option (and no more -CAcreateserial) followed with the name of the file containing your serial number. This file will be incremented each time you sign a new certificate. This serial number will be readable using a browser (once the certificate is imported to a pkcs12 format). And we can have an idea of the number of certificate created by a CA.

[your_prompt]$ openssl x509 -req -days 360 -in server.csr -CA public/ca.crt -CAkey private/ca.key 
-CAcreateserial -out public/server.crt

So now we have all we need to make a pkcs12 file. Later, when we will create a client certificate (for client authentication) we will need the pkcs12 certificate for the browsers because it contains the private and public key for the client-side. In this case the client will send a message to the https server encoded with the client certificate private key, the server will decrypt the message with the public client certificate key and compare it with the client certificate in his trust-store. If it match, the server will trust the client certificate and we call that process client authentication.

But we are still to try to make server authentication work. So we are going to create a pkcs12 file (with server.crt and server.key)that we will translate to a JKS keystore: server.jks. This keystore will contain the private and public key necessary to encrypt a message on the server side for the Tomcat web server. We create our pkcs12 file with openssl with the following command:

[your_prompt]$ openssl pkcs12 -export -in public/server.crt -inkey private/server.key -out server.p12

We need now to transform the pkcs12 to a keystore file. For that process we are going to use jetty.jar package, you can download it at jetty. Use the following command after to have put jetty.jar into your classpath:

[your_prompt]$ java org.mortbay.util.PKCS12Import server.p12 server.jks

That's it! You have a JKS keystore that you can use with your Tomcat webservice.

You are ready to complete the SSL connector with a secure path (only root access) to your server.jks and specify the keystore password.

You can also check the content of your keystore with keytool:

[your_prompt]$ keytool -v -list -keystore server.jks

You should have one entry of type keyEntry and that means a certificate chain (private and public key). Good job!

3.2. Test your SSL connection

It's time now to start your server and test your SSL connection with a browser. Enter the url:


Your browser should ask you if you want to trust the certificate. You can install the certificate, but you should use the opportunity to install the CA certificate in the certificate authorities list of your browser. From your browser open the file ca.crt and install it. Restart your browser and try again your https url. Now that you have configured the browser to trust your CA, and because the server certificate is signed by your CA the browser shouldn't ask you to trust the certificate. And that's it, starting now all the data exchanged between your server and the browser are encrypted, congratulations.

If you have a web service installed on the server you can get to the endpoint in a browser using https, try it! Now the next step is to create a SOAP client using https. You will be able soon to find an example in my doc. Check my RSS feed for update.