Is it necessary to add CA certificate to pkcs12 certificate for tomcat

If the CA certificate issuing your certificate is the "root" CA certificate (ie, it is self-signed), it doesn't matter: if the party verifying that the certificate does not already have it in their trust bindings, nothing will trust it.

It is generally more useful when the CA certificate is an intermediate CA certificate. In this case, the server needs to present the complete certificate chain (except for the root CA, which would be optional for the reasons stated above). Since the remote side may not have these intermediate CA certificates as known trusted bindings, but can trust the CA certificate that issued this intermediate CA certificate, this makes them more likely to build a chain of trust from their trusted bindings to the certificate for verification.

Strictly speaking, you don't need to represent the entire chain, but this makes it more likely that your certificate will be accepted.

(This is more or less the same problem as in this question . Also, you are talking about a PKCS # 12 store, so you usually import the CA files in the opposite right "alias" (using Java terminology) anyway.)

As the saying goes, private keys are usually kept private. If you are trying to implement your own CA, there are mechanisms to do this in the browser , without sending the private key anywhere, which will allow the user to have PKCS # 12 in reverse order (if they want to export their cert + key from there).