There are two ways of doing SSL

First way: PFX

PFX is a keystore which contains three components: root, intermediate and a key.

We go to the file server.xml in the tomcat configuration and uncomment + adding this:

<Connector port="443" protocol="HTTP/1.1"

maxThreads="150" SSLEnabled="true" scheme="https" keystoreFile="<path to the keystore location including the file>" keystorePass=”<get from the client>” keystoreType=”PKCS12” clientAuth="false" sslProtocol="TLS" >


it is recommended to put the pfx or any other certificate that we get from the client in conf folder which is in tomcat folder. Then in property keystoreFile we write “conf/XXX.pfx”

in the http connector in the server.xml file we do 443 to the redirect property

We must pay attention that the servers for which we were given the certificates are case sensitive. If the name of the server won’t be exactly the same on the certificate as of our server then it won’t work!

Tip: If we get an error then a good way to know if a certificate is OK and that error comes from case sensitivity issues is to enter the IIQ using the server’s name that is given to in the certificate.


Second way: CSR

Three steps when installing certificates

Phase one: create Keystore

Phase two: create CSR

Phase three: import the certifications that we got from the client


Three very important notes:

  1. Very important that the alias will be identical in three places:
  • At creating a keystore
  • At creating a CSR
  • And when we import the key from the client


  1. The client must sign the CSR that we sent him, otherwise the process won’t work


  1. If we want to install certificate for a few different servers then we use the same CA and the same intermediate certificate but each server will get its own key.



Phase one

Create a keystore.

Open the cmd at the location “tomcat\conf”.


keytool -genkey -keyalg RSA -alias <****> -keystore iiq.jks

password: changeit


and then we will fill out the DN:

the important part here is the “first and last name” ,which appear at the beginning of the DN, we fill out here the server’s name (hostname).

This part is critical because the “first and last name” field is the server for which the certificates are produced. (We have to repeat this process for each and every server we want to communicate in HTTPS.

Insert password changeit as needed.


Phase two

Create CSR

From the same location in the cmd we’ll do:

keytool -certreq -keyalg RSA -alias <****> -keystore iiq.jks -file certreq.csr

this action will create for us a CSR file which we will send to the client for a signature and give us three files back

  1. Root CA
  2. Intermediate CA
  3. Private key


Phase three

we would like to import these three files into the keystore that we’ve created.

Open the cmd and go to the location of the created keystore (according to this manual its in conf folder in tomcat)

We import the certificates in hierarchy order starting with the Root CA, moving to the intermediate and finish with the key.




Import Root CA:

keytool -import -file <path of the root CA including the file> -trustcacerts -alias<root>             -keystore iiq.jks


import intermediate CA:

keytool -import -file <path of the intermediate CA including the file> -trustcacerts    -       alias<intermediate> -keystore iiq.jks


import the key:

keytool -import -file <path of the private key including the file> -alias<****> -keystore iiq.jks


pay attention:

The alias of the key in the last import must be equal to the alias that we do while creating the keystore and the CSR.


Now we define the tomcat to work with the certificate.

We go to: tomcat\conf\server.xml

And adding\ editing the next part:


<Connector port="443" protocol="HTTP/1.1"

maxThreads="150" SSLEnabled="true" scheme="https" secure="true" keystoreFile="<path to the keystore location including the file>" keystorePass="changeit"

                                       clientAuth="false" sslProtocol="TLS" keyAlias="<****>>



Do restart to tomcat.

Then try to enter the IIQ using https with the port specified in the https connector



  • If there’s a problem establish a connection in https, and the certificate seems fine then we could make sure that the port used in https is listening using the telnet command.
  • If there’s a problem establish a connection in https, we need to make sure that the key which we have imported is “PrivateKeyEntry”.

You can check through the next command:

Keytool -v -list -keystore iiq.jks.


  • If we get access denied in cmd then we need to run cmd as administrators.


  • Any other problem: check the LOG!!!!




Useful command:

View the keystore content:

keytool -v -list -keystore iiq.jks


Delete keystore entry:

keytool -delete -alias<***> -keystore iiq.jks