SSL Setup .p12

Modified on Wed, Mar 13 at 9:07 AM

Configuring TLS / SSL (Java 11 and forward)

Creating a new Wildcard TLS / SSL Certificate

Do not use these instructions with a server running Java 8 or less.

Create a PCKS 12 Keystore

Create a directory and keystore to hold the self signed certificate.

Linux / UNIX

mkdir /genesis/ssl
cd /genesis/ssl
keytool -genkey -alias tomcat -keystore genesis.p12 -storetype PKCS12 -keyalg RSA -storepass sch00lisc00l


mkdir \genesis\ssl
cd \genesis\ssl
keytool -genkey -alias tomcat -keystore genesis.p12 -storetype PKCS12 -keyalg RSA -storepass sch00lisc00l


Creating a certificate with Subject Alternative Names (alternate domain names)

Additional domain names can be added to the certificate In addition to the domain name that is specified in the What is your first and last name? section below.

To add 1 domain, Add the -ext SAN=dns:fqdn parameter to the end of the keytool command above.

To add more than 1 domain:  -ext SAN=dns:fqdn1,dns:fqdn2.....

keytool -genkey -alias tomcat -keystore genesis.p12 -storetype PKCS12 -keyalg RSA -storepass sch00lisc00l -ext,



The tool will ask several questions, the following table shows appropriate answers:


Sample Answer

What is your first and last name? or * for wildcard certificates.

What is the name of your organizational unit?

Information Technology

What is the name of your organization?

Something something public schools

What is the name of your City or Locality?


What is the name of your State or Province?

New Jersey (Do not use abbreviated state names!)



Is, OU=Information Technology, O=Genesis EDU, L=South Plainfield, ST=New Jersey, C=US correct?


Enter key password for <tomcat>(RETURN if same as keystore password):

Press enter

It's important that the first and last name field contain the domain name of the server.

Configure Apache Tomcat to use the SSL Certificate

Hey - Next, we must tell Tomcat to use this certificate store (and self signed certificate).

  • Stop tomcat.
  • Edit the /usr/tomcat/conf/server.xml (or c:\tomcat\conf\server.xml) file.
  • Look for the line <Service name="Catalina">
  • Add this block of xml after the above line (replace the bold text with the appropriate values):
<Connector port="443"
              connectionTimeout="20000" scheme="https"
              sslProtocol="TLS" secure="true" SSLEnabled="true"
                         sslEnabledProtocols="all,-SSLv2Hello,-TLSv1,-TLSv1.1" />
  • If you want Genesis to listen on only SSL; then comment out all of the other connector XML blocks.
  • Start Tomcat.

Test the self signed certificate

Using any web browser; Navigate to genesis using the HTTPS protocol (for example:
Because this is a self signed certificate, you should receive a warning.
Click the Yes (or OK) button to continue.

Genesis is now configured to work with SSL. In this configuration, every time a user logs into Genesis; they will be presented with the above dialog box. To eliminate this dialog box; the self signed certificate will need to be promoted to a signed certificate.

Upgrading to a signed certificate

A signed SSL Certificates is purchased from a certificate authority such as,, or The prices range vastly between the different authorities. A Certificate is purchased for a time period usually from 1 to 5 years.  

Create a CSR (Certificate Signing Request)

Go to the d:\genesis\ssl or /genesis/ssl directory and run this command:

keytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -file certreq.csr -keystore genesis.p12

You will be asked for the password that you entered earlier. Once entered; a file called *certreq.csr *will be created. This is an ordinary text file. When applying for a certificate, the certificate authority will ask you for the contents of this file. Some authorities will let you attach the file as an e-mail; others will ask you to copy and paste the contents of the file into a web form.
You will also be asked by your certificate authority; what type of web server will this certificate be used on. Make sure that you answer anything with the word Tomcat in it. It is important that you do not answer Apache. Tomcat is not Apache; but Tomcat is made by Apache (The same people that make the Apache Web Server).
 You now have the required data to purchase a certificate. Once the certificate is purchased; continue to the next step.

Installing the signed certificate

Make a copy of the genesis.jks file before doing proceeding.

Obtain and install the chain (or root) and intermediary certificates.

Some vendors will require that a intermediary or root certificate be installed before installing the certificate itself.   These instructions vary from vendor to vendor.   If your vendor has given you these files ; the process to import them is:

keytool -import -alias inter1 -keystore genesis.p12 -trustcacerts -file gd_bundler.crt

For each certificate file provided (except the actual signed certificiate); use a different alias; and of course supply the correct filename in the -file parameter.

Install your new certificate

Finally; install the actual signed certificate

keytool -import -alias tomcat -keystore /genesis/genesis.p12 -trustcacerts -file certificate.txt

Start or restart Apache Tomcat.

Updating an expired certificate

When your certificate expires; you will need to install a new certificate with a new expiration date. You will need to obtain this certificate from the Certificate Authority that you purchased your original certificate from. 

Stop Tomcat.
Make a backup the genesis.jks file before proceeding

Install the upgraded certificate with this command (run this from the d:\genesis\ssl or /genesis/ssl directory)

keytool -import -alias tomcat -keystore genesis.p12 -trustcacerts -file certificateX.crt

Start Tomcat.

Using a certificate from an IIS Server

It is possible with Apache Tomcat 6 and 7 running on Java 1.6.0_12 or better to export an existing certificate from a Microsoft IIS server*.  * The certificate should be exported to a *.pfx file.   During the export process it will ask you to choose a password for the .pfx file.  Be sure to keep a note of it.   Place the .pfx file in the d:\genesis\ssl (or /genesis/ssl) directory on the Genesis server.

Open the server.xml file; and alter the SSL connector section to look something like this:

<Connector port="443"
              connectionTimeout="20000" scheme="https"
              sslProtocol="TLS" secure="true" SSLEnabled="true"
              keystoreType="pkcs12" />

Note: Be sure to correctly enter the keystore password or you may encounter an error that looks like "Given final block not properly padded'. You will see this error log in catalina.out.


An error may occur as shown below in some browsers. The solution is to disable TLS 1.3.

sslEnabledProtocols="all,-SSLv2Hello,-TLSv1,-TLSv1.1, -TLSv1.3"


05-Nov-2020 16:46:18.098 SEVERE [https-jsse-nio-]$SocketProcessor.doRun
at java.base/
 at java.base/

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article