Importing your own certificates into the default Apache Tomcat Web Server keystore

This procedure describes how to import your own certificate (from a certified CA) into the default Tomcat keystore.

NOTE: This procedure is not for replacing the default keystore itself, but applies only the certificate in the default keystore.

To replace the certificate in the default keystore:

1. Navigate to <KEYSTORE_HOME> (where tomcat.keystore is located):
   • UNIX: $EM_HOME/emweb/tomcat/conf
   • Windows: %EM_HOME%\emweb\tomcat\conf
2. Delete the existing "tomcat" alias from the default keystore:

   "keytool -delete -keystore <KEYSTORE_HOME>\tomcat.keystore -alias tomcat"

3. Import ROOT CA of the chain:

   "keytool -import -alias <root CA alias> -trustcacerts -file <path to root CA certificate> -keystore <KEYSTORE_HOME>\tomcat.keystore"

4. Import intermediate CAs of the chain (if needed). Repeat this step per intermediate CA in the chain:

   "keytool -import -alias <intermediate CA alias> -trustcacerts -file <path to intermediate CA certificate>  -keystore <KEYSTORE_HOME>\tomcat.keystore"

5. Import the end-user's certificate signed by above chain:

   "keytool -import -alias tomcat -trustcacerts -file <path to end user certificate> -keystore <KEYSTORE_HOME>\tomcat.keystore"

6. Recycle the Web Server.