General speaking, when you want to apply SSL to web server, you will have below files in hand: private key for SSL certificate sign request signed SSL certificate Root CA certificate Intermediate CA certificate (optional) For importing a trusted certificate into JAVA keystore, I think create a new keystore and replace the original one seems like a good practice. I believe you will know how to import Root CA and intermediate CA as trustcacerts into keystore. However, if you only import the signed SSL certificate without the private key, then the entry will treat as "TrustCertEntry" instead of a "PrivateKeyEntry". The tomcat server will start and listen to 443 but will refuse to serve connection. Therefore we need to use openssl to combine the signed SSL certificate and private key as PKCS12 format. Then import the PKCS12 format entry into the keystore. openssl pkcs12 -export -in FQDN.crt -inkey private-ssl.key -certfile FQDN.crt