You will use keytool for CSR/Private key generation on Tomcat.
First, you need to create the keystore for the certificate and generate Private Key.
Open a terminal or console and run the command below:
keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore yourkeystore.jks
You will be prompted to enter a password. Default password for tomcat is *changeit*.
Then, you will be asked to enter the information that your future CSR code should contain. The first question is about Common Name (FQDN for which the certificate will be issued) in some versions of keytool the question will be “What is your first and last name?” If this is the case, Type the Common Name (ex. domain.com) instead of your first and last name.
NOTE: It is possible to include the "Street address" detail in the CSR code. For this a "-dname" tool with corresponding data should be specified when creating the keystore:
keytool -genkey -keysize 2048 -keyalg RSA -alias tomcat -keystore yourkeystore.jks -dname "CN=example.com, O=Namecheap Inc, L=Phoenix, ST=Arizona, C=US, Street=4600 East Washington Street Suite 305"
Once the keystore and Private key are generated it’s time to generate the CSR itself.
To generate the CSR you need to run the command below using the keystore with the Private Key you established in the step above:
keytool -certreq -alias tomcat -file your.csr -keystore yourkeystore.jks
The CSR generated is in the file your.csr. Now you just need to open it as plain text. This plain text will be what you submit on our site during the activation of the certificate. It can be opened with a simple text editor, like Notepad or TextEdit and should look like a block of code with the header -----BEGIN CERTIFICATE REQUEST-----