Creating a CA-Signed Certificate for the Tomcat Server

To use HTTPS to access the Web Console or Compliance Search, you can use a CA-signed or a self-signed certificate:

  • To create a certificate signed by the CA, create a certificate and generate a Certificate Signing Request (CSR).
  • Self-signed certificates are automatically created and installed by the Commvault software. If you use a self-signed certificate, users will see a warning in the browser indicating that it is not safe to proceed.

If you have an expired certificate, you can create or import a new certificate, and then configure SSL on the Tomcat Server.

Before You Begin

Install Java with all updates.

About This Task

  • For Web Console, perform this task on the Web Console computer.
  • For Compliance Search, perform this task on the Compliance Search computer.
  • You must use a CA-signed certificate in the following situations:
    • You are configuring SSL on the Tomcat Server for Web Console on a CommServe computer where a Private Metrics Reporting Server is installed. If you use a self-signed certificate, data will not upload to the Private Metrics Reporting Server.
    • You are configuring an ObjectStore for Salesforce. Use a CA-signed certificate for Web Console.
    • You are configuring HTTP Public Key Pinning (HPKP).


  1. From the command prompt, navigate to the directory where the keytool.exe is located (for example, C:\Program Files\Java\java_version\bin).
  2. To create the keystore file containing the key-pair/certificate to be signed, run the following command:

    keytool -genkey -alias tomcat -keyalg RSA -keystore "C:\mykeystore.jks" -ext SAN=dns:<domainname>,ip:<CommServer IP address>

    Important: This keystore file must be used throughout this procedure.

    Note: Depending on the browser used for accessing the Command Center, you may need to perform additional settings to complete the creation of a CA-Signed Certificate. For example, for Google Chrome version 58 and later, you must specify the Subject Alternative Name (SAN), while running the keytool command.

    During the command execution, you are prompted to provide information regarding your organization. Provide the following parameters:




    Alias name used by Tomcat for reference purposes while importing or installing the certificate. The alias can be any simple name used for cross reference.

    After certificate signing is done by certificate authority and returned back to the customer, then you will need to use the same alias to import the certificate, which will be explained later.


    The keystore password. We recommended you use a strong password.

    First and Last name

    The fully qualified domain site name, such as someName.somecompany.com, which has to run using HTTPS. If requesting for a wildcard certificate, the site name can be specified as *.someportal.com.

    If the value given for this parameter does not reflect the starting part of the web site URL for which you are requesting the certificate, then the browser may treat the site as an untrusted. An error or warning message like this would be shown in such cases:

    The security certificate presented by this website was issued for a different website's address.

    Organizational Unit

    Optional: If applicable, you can specify the DBA (Doing Business As) name.

    Organization Name

    Full legal name of your organization.

    The organization name must be legal registrant of the domain name in the certificate request. If you are enrolling as an individual, please enter the certificate requestor’s name.

    City / Locality

    Name of the city (without abbreviation) in which your organization is located.

    State / Province

    Name of state or province (without abbreviation) where your organization is located.

    Country Code

    The two letter country code (international organization for standardization format) where your organization is legally registered.

  3. To generate a CSR, run the following command:

    keytool -certreq -keyalg RSA -alias tomcat -file C:\somename.csr -keystore C:\mykeystore.jks




    Do not remove or change this parameter.


    Do not remove or change this parameter.

    Valid value is RSA.


    The same alias name used for generating the keystore.


    The path to the file for CSR creation.


    The path to the keystore that was recently created. You must use the same keystore file throughout this procedure.

  4. Upload the CSR to the CA website, indicate the type of Tomcat server, and submit for signing.
  5. Download the Root, Intermediate, and Issued Server/Domain certificates.

    Important: This may be different based on the certificate authority. Follow the guidelines provided by your CA.

  6. Import each signed certificate issued by the CA using the following commands:
    • Root Certificate:

      keytool -import -alias root -keystore C:\mykeystore.jks -trustcacerts -file C:\valicert_class2_root.crt

    • Intermediate Certificate:

      keytool -import -alias intermed -keystore C:\mykeystore.jks -trustcacerts -file C:\gd_intermediate.crt

    • Issued Server/Domain Certificate:

      keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt

      Important: The keystore parameter must be the path to the keystore file that was used to generate the CSR. You must use the same keystore file throughout this procedure.

  7. Close the command line.

What to Do Next

Go to Configuring the SSL Connector for Tomcat.

Last modified: 10/4/2019 9:46:54 PM