Skip to main content
  • Subscribe by RSS
  • Ex Libris Knowledge Center

    Applying Certificates to the Apache Tomcat Server

    This guide covers the steps required to apply certificates to the Apache Tomcat Server

    Apache Tomcat


    It is the responsibility of the customer to ensure the Tomcat server is properly configured with the necessary SSL Certificates.

    Ex Libris is unable to process any requests for this to be done on the customer’s behalf.

    As such, the following document serves to outline the generic process, and will evolve to include F.A.Q.s.



     1. Must have access to the Tomcat Server.

     2. Must have permissions to navigate all folder structures, and to upload/move files.

     3. Must know password for Java keychain if it is not the default (see guide for more details).


    Access the Tomcat Server via console or SSH.

    Attempt to locate the keystore location using the following command:

    locate cacert

    If a single location is returned, you now know the keystore you must navigate to. If multiple locations are returned, you must first determine which version of Java is in use, and then navigate to the corresponding path. Java version may be determined by entering the following command:

    java -version

    Having navigated to the path determined by the previous step, determine whether the certificate is already within the keystore with the following command:

    keytool -list -v -keystore cacerts

    You will be required to input the password. Enter the password if you know it, else the default is:


    Note: Keytool may not be usable on the command line. If this is the case you may use the following command and symbolic links will show you where the Keytool is located:

    Which java

    Note: You may also wish to use keystore explorer –

    If the certificate is not already there, you will have import it using the following command format, having moved the certificate file into the directory:

    keytool -import -trustcacerts -alias DesiredAlias -file FileName -keystore cacerts


    keytool -import -trustcacerts -alias MySslCert -file MySSL.cer -keystore cacerts

    Please note: This requires the certificate file being uploaded to be an X.509 certificate. If the cert file is not compliant, you may have to find a workaround such as adding it to the windows personal certificate and exporting it in an appropriate format.

    Once again, run:

    keytool -list -v -keystore cacerts

    The cert you added should now appear in the list, otherwise you may run:

    keytool -list -v -keystore cacerts | grep DesiredAlias


    keytool -list -v -keystore cacerts | grep *MySslCert*

    If this has succeeded, you may restart the Tomcat Server

    Repeat all steps as many time is required to have all nodes updated, if Connect Layer is on Load Balanced nodes.

    • Was this article helpful?