Some tips on dealing with SSL Certificates and Apache Tomcat. If you have to renew your SSL cert or install a new one hopefully these instructions will help.
I'll be using Apache Tomcat 7, so the steps may differ with other servers.
Firstly you have to generate a CSR on the server (basically a single file), and then send this to whoever you are planning to purchase your cert from (DigiCert in my case). Some certificate providers have online CSR generators which are useful, however you can run the command yourself.
Open the command prompt (in administrator mode - important!)
Paste the following command (remember the alias you assign, it's common to use 'server');
keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore star_yourdomain_co_uk.jks -dname "CN=*yourdomain.co.uk, O=Your org name, L=Your location, ST=State, C=Country" && keytool -certreq -alias server -file star_yourdomain_co_uk.csr -keystore star_yourdomain_co_uk.jks && echo Your certificate signing request is in star_yourdomain_co_uk.csr. Your keystore file is star_yourdomain_co_uk.jks. Thanks for using the DigiCert keytool CSR helper.
Then check to make sure there is a private key entry by running the following command;
keytool -list -v -keystore "star_yourdomain_co_uk.jks"
Once you have done this it should give you two files a .JKS and a .CSR
Use that CSR to reissue the certificate through your certificate provider account.
Once you have the new certificate downloaded run the command to import that certificate into the new keystore created.
keytool -import -trustcacerts -alias server -file star_yourdomain_co_uk.p7b -keystore star_yourdomain_co_uk.jks
Before Tomcat can accept the SSL connections a few changes have to be made to the server.xml file. Basically you need to point to your new keystore file, and add the alias name you assigned in the first steps ('server').
Go to the Tomcat home directory and find the server.xml file, make the changes below;
<Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" SSLEnabled="true"clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="/home/user_name/your_site_name.jks" keystorePass="your_keystore_password" />
Now restart the Tomcat service and visit your site.
Make note of the alias name you assign, keep the same alias
Make note of the password. keep it the same
If you make a mistake along the way start again and generate a new CSR - you will save time rather than troubleshooting
Make sure the cert is in the correct format for your server