Our Certificate Authority signed certificate is about to expire, and I need to update it. What's the process for updating the certificate before it expires? We have a cert that is going to expire, and we need to update it in Spectrum OneClick and Webapp. What is the process to get the new certificate applied?
Release : All Supported Releases
Signed certificate is about to expire or has expired.
Be sure to replace $SPECROOT with the actual path to where Spectrum is installed on this system. For example, if you installed Spectrum in the "/app/spectrum", replace $SPECROOT with "/app/spectrum".
1. Make a backup copy of your $SPECROOT/custom/keystore/cacerts file.
2. Generate the cert request. The alias listed MUST MATCH the existing certificate if it is not tomcatssl.
a. Go to $SPECROOT/Java/bin ---> the keytool you should be using resides in this directory
b. List existing certificates and verify the aliases:
./keytool -v -list -keystore $SPECROOT/custom/keystore/cacerts
If you have a standard configuration created following the TechDocs you will find the below line in the output:
Alias name: tomcatssl
This is the alias you need to use along the procedure.
c. Generate certificate request (adjust the alias if needed):
./keytool -certreq -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -file filename.csr
3. Send to the Certificate Authority.
4. (OPTIONAL) - Only if they are not already imported or need to be updated, you will need to import the Certificate Authority's trust chain, or, generally, the root and intermediate certificates. To do that, follow the next two commands. Replace "your_root_cert_filename" or "your_intermediate_cert_filename" with the filename of the matching cert received from the Certificate Authority
./keytool -import -alias CA_root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_root_cert_filename
./keytool -import -alias CA_intermediate -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_intermediate_cert_filename
5. Import the cert. Replace "your_cert_filename" with the filename of the cert received from the Certificate Authority. The alias listed MUST MATCH the existing certificate if it is not tomcatssl.
./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_cert_filename
6. Cycle tomcat and WebTomcat.
$SPECROOT/tomcat/bin/stopTomcat.sh
$SPECROOT/webtomcat/bin/stopWebTomcat.sh
$SPECROOT/tomcat/bin/startTomcat.sh
$SPECROOT/webtomcat/bin/startWebTomcat.sh
If at any point keytool tells you the keystore has been tampered with and is corrupt; you likely have the wrong password.
If you need to start over from scratch, copy the $SPECROOT/Java/jre/lib/security/cacerts to the $SPECROOT/custom/keystore folder and generate the private key again with the tomcatssl alias.