diff --git a/deploy/tomcat8.sh b/deploy/tomcat8.sh
new file mode 100644
index 00000000..dd782bb9
--- /dev/null
+++ b/deploy/tomcat8.sh
@@ -0,0 +1,101 @@
+#!/bin/bash
+
+#Here is a script to deploy cert to tomcat8 server.
+
+#returns 0 means success, otherwise error.
+
+#DEPLOY_TOMCAT8_KEYSTORE="/usr/share/tomcat8/.keystore"
+# should probably be /var/lib/tomcat8/keystore
+#DEPLOY_TOMCAT8_KEYPASS="aircontrolenterprise"
+#DEPLOY_TOMCAT8_RELOAD="service tomcat8 restart"
+
+########  Public functions #####################
+
+#domain keyfile certfile cafile fullchain
+tomcat8_deploy() {
+  _cdomain="$1"
+  _ckey="$2"
+  _ccert="$3"
+  _cca="$4"
+  _cfullchain="$5"
+
+  _debug _cdomain "$_cdomain"
+  _debug _ckey "$_ckey"
+  _debug _ccert "$_ccert"
+  _debug _cca "$_cca"
+  _debug _cfullchain "$_cfullchain"
+
+  if ! _exists keytool; then
+    _err "keytool not found"
+    return 1
+  fi
+
+  DEFAULT_TOMCAT8_KEYSTORE="/usr/share/tomcat8/.keystore"
+  _tomcat8_keystore="${DEPLOY_TOMCAT8_KEYSTORE:-$DEFAULT_TOMCAT8_KEYSTORE}"
+  DEFAULT_TOMCAT8_KEYPASS="aircontrolenterprise"
+  _tomcat8_keypass="${DEPLOY_TOMCAT8_KEYPASS:-$DEFAULT_TOMCAT8_KEYPASS}"
+  DEFAULT_TOMCAT8_RELOAD="service tomcat8 restart"
+  _reload="${DEPLOY_TOMCAT8_RELOAD:-$DEFAULT_TOMCAT8_RELOAD}"
+
+  _debug _tomcat8_keystore "$_tomcat8_keystore"
+  if [ ! -f "$_tomcat8_keystore" ]; then
+    if [ -z "$DEPLOY_TOMCAT8_KEYSTORE" ]; then
+      _err "tomcat8 keystore is not found, please define DEPLOY_TOMCAT8_KEYSTORE"
+      return 1
+    else
+      _err "It seems that the specified tomcat8 keystore is not valid, please check."
+      return 1
+    fi
+  fi
+  if [ ! -w "$_tomcat8_keystore" ]; then
+    _err "The file $_tomcat8_keystore is not writable, please change the permission."
+    return 1
+  fi
+
+  _info "Generate import pkcs12"
+  _import_pkcs12="$(_mktemp)"
+  _toPkcs "$_import_pkcs12" "$_ckey" "$_ccert" "$_cca" "$_tomcat8_keypass" tomcat8 root
+  if [ "$?" != "0" ]; then
+    _err "Oops, error creating import pkcs12, please report bug to us."
+    return 1
+  fi
+
+  _info "Modify tomcat8 keystore: $_tomcat8_keystore"
+  if keytool -importkeystore \
+    -deststorepass "$_tomcat8_keypass" -destkeypass "$_tomcat8_keypass" -destkeystore "$_tomcat8_keystore" \
+    -srckeystore "$_import_pkcs12" -srcstoretype PKCS12 -srcstorepass "$_tomcat8_keypass" \
+    -alias tomcat8 -noprompt; then
+    _info "Import keystore success!"
+    rm "$_import_pkcs12"
+  else
+    _err "Import tomcat8 keystore error, please report bug to us."
+    rm "$_import_pkcs12"
+    return 1
+  fi
+
+  _info "Run reload: $_reload"
+  if eval "$_reload"; then
+    _info "Reload success!"
+    if [ "$DEPLOY_TOMCAT8_KEYSTORE" ]; then
+      _savedomainconf DEPLOY_TOMCAT8_KEYSTORE "$DEPLOY_TOMCAT8_KEYSTORE"
+    else
+      _cleardomainconf DEPLOY_TOMCAT8_KEYSTORE
+    fi
+    if [ "$DEPLOY_TOMCAT8_KEYPASS" ]; then
+      _savedomainconf DEPLOY_TOMCAT8_KEYPASS "$DEPLOY_TOMCAT8_KEYPASS"
+    else
+      _cleardomainconf DEPLOY_TOMCAT8_KEYPASS
+    fi
+    if [ "$DEPLOY_TOMCAT8_RELOAD" ]; then
+      _savedomainconf DEPLOY_TOMCAT8_RELOAD "$DEPLOY_TOMCAT8_RELOAD"
+    else
+      _cleardomainconf DEPLOY_TOMCAT8_RELOAD
+    fi
+    return 0
+  else
+    _err "Reload error"
+    return 1
+  fi
+  return 0
+
+}