Don't know what is happening but I keep getting NDR's for my reply's to this group.
So in case it didn't get through: Crypto.Sal thank you so much. It works!! Openssl was so much simpler than the jdk keytool. I just wanted to share some quirks I ran into when installing the SSL on APR tomcat. Here are the commands I ran on openssl Step 1 create a 2048 key without a password. openssl genrsa -out domainname.key 2048 Step 2 create a CSR to send to the ssl vendor. openssl req -new -key domainname.key -out domainname.csr When answering questions Common Name must be the hostname for the ssl certificate. The rest of the questions are straightforward. Send the CSR to the ssl vendor and they will send back the ssl certificate. Copy the .key and .crt file to the root of tomcat folder. Change the server.xml to point to the two files. SSLCertificateFile="${catalina.home}/SSLCERT.crt" SSLCertificateKeyFile="${catalina.home}/SSLKEY.key" And it worked right off the bat. I found out that even though it is "Working" it is not correctly installed until I download an Intermediate CA certificate file and add this line to server.xml. SSLCACertificateFile="${catalina.home}/sslchain.crt" /> One quirk I ran into was that Firefox 4 aggressively caches even SSL certificates. So even though the site was encrypted using the new ssl certificate Firefox 4 showed the OLD ssl certificate's information including the expiration date. I had to fire up IE 8 to view the new ssl certificate.