I am posting what I did to import an existing wildcard cert (from rapidssl, if it makes a difference) because I found little info on it. This was done on a Windows 2012R2 box. So, if you are using a wildcard certificate to secure your ERA server you'll need to create a JKS keystore for tomcat to use. You do not need to create a new keystore with a CSR because the private key already exists. You will need: - All of your applicable intermediate certs (.crt files) - Your wildcard cert (.crt file) - Your private key (.key file) Combine your intermediate certs into a ca-bundle taking care of their hierarchal order. You can use any n*x machine for this. Or a text editor in Windows. The concept is the same. Now, assuming they are all in your working directory: cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > mydomain.com.ca-bundle On any n*x machine with openssl installed convert your cert, private key, and ca-bundle into a pkcs12 file. I did this on a 10.11.6 OS X machine running openssl v0.9.8zh. Now, assuming files are all in your working directory: openssl pkcs12 -export -in your-wildcard-cert.crt -inkey private.key -out "/path/to/your-new-pkcs12-file.pkcs12" -name tomcat -CAfile mydomain.com.ca-bundle -caname root On the tomcat server, "import" the pkcs12 file by converting it to a JKS file. for simplicity I put the JKS file in the tomcat directory. This command is run from the JRE bin directory whose exact location will vary depending on the Java version installed: keytool -importkeystore -srckeystore "C:\path\to\your-new-pkcs12-file.pkcs12" -srcstoretype PKCS12 -destkeystore "C:\Program Files\Apache Software Foundation\Tomcat 7.0\your-new-JKS-file.jks" On tomcat server open tomcat's server.xml file for editing (for me it was C:\Program Files\Apache Software Foundation\Tomcat 7.0\conf\Server.xml). Edit the "keystoreFile" parameter with the path to your jks file and the "keystorePass" parameter with the jks keystore password.