There are basically four steps:
Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores. The JKS format is Java's standard "Java KeyStore" format, and is the format created by the keytool command-line utility. This tool is included in the JDK (Java Development Kit) and also in the JRE (Java Runtime Environment).
Release: Output Management Web Viewer 12.1
Find out what is required in terms of minimal security. Additionally, you need to know if your company already has trusted certificates they can be used on the Tomcat server.
Self-signed certificates are very useful for testing and they are easily created with Java's keytool program. You can test with a self-signed certificate and then proceed with the trusted certificate.
2. Create a Self Signed Keystore (if you do not have one)
a. Verify that Java is in your path by typing
java -version. if the Java bin directory is not in your path, you need to explicitly specify the path for the keytool. For example, in Windows, type: "%JAVA_HOME%\bin\keytool", and in Unix or USS or Linux, enter: $JAVA_HOME/bin/keytool. If you have only the JRE, type JRE_HOME instead of JAVA_HOME.
b. Generate the keystore and user certificate:
keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -validity 365 -keystore "c:\tomcat.jks"
c. The keytool program will prompt for the following parameters to complete the generation of the keystore:
3. Tomcat Configuration:
To configure Tomcat, you need to change one file. That file is named “server.xml”, and is located in the /conf directory, a directory directly under where Tomcat was installed.
The KeyAlias should be specified even in you have only one keypair. The keyAlias used to for the server certificate in the keystore. If not specified the first key read in the keystore will be used.
4. Restart Tomcat
The most comprehensive, and readable document on this topic, is actually from the Apache Tomcat website: Apache Tomcat SSL How to
To create a certificate request to send to your Certificate Authority
keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr
KeyStoreExplorer is a free graphical user interface that runs on Windows and is used to navigate throughout a keystore. It is written in Java and has basically the same capabilities as the command line program “keytool”. Use this tool to become familiar with keystores and to examine the contents of keys and certificates.
Also so this information from Digicert Tomcat CSR & SSL installation