Updating renewed SSL certificate in Spectrum
search cancel

Updating renewed SSL certificate in Spectrum

book

Article ID: 206278

calendar_today

Updated On:

Products

CA Spectrum DX NetOps

Issue/Introduction

Our Certificate Authority signed certificate is about to expire, and I need to update it.  What's the process for updating the certificate before it expires?  We have a cert that is going to expire, and we need to update it in Spectrum OneClick and Webapp.  What is the process to get the new certificate applied?

Environment

Release : All Supported Releases

 

Cause

Signed certificate is about to expire or has expired.

Resolution

Be sure to replace $SPECROOT with the actual path to where Spectrum is installed on this system. For example, if you installed Spectrum in the "/app/spectrum", replace $SPECROOT with "/app/spectrum".

1.  Make a backup copy of your $SPECROOT/custom/keystore/cacerts file.

2. Generate the cert request.  The alias listed MUST MATCH the existing certificate if it is not tomcatssl.

a. Go to $SPECROOT/Java/bin ---> the keytool you should be using resides in this directory

b. List existing certificates and verify the aliases:

./keytool -v -list -keystore $SPECROOT/custom/keystore/cacerts

If you have a standard configuration created following the TechDocs you will find the below line in the output:

Alias name: tomcatssl 

This is the alias you need to use along the procedure.

 c. Generate certificate request (adjust the alias if needed):

./keytool -certreq -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -file filename.csr

3.  Send to the Certificate Authority.

4. (OPTIONAL) - Only if they are not already imported or need to be updated, you will need to import the Certificate Authority's trust chain, or, generally, the root and intermediate certificates.  To do that, follow the next two commands.  Replace "your_root_cert_filename" or  "your_intermediate_cert_filename" with the filename of the matching cert received from the Certificate Authority

./keytool -import -alias CA_root -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_root_cert_filename

./keytool -import -alias CA_intermediate -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_intermediate_cert_filename

5.  Import the cert. Replace "your_cert_filename" with the filename of the cert received from the Certificate Authority.  The alias listed MUST MATCH the existing certificate if it is not tomcatssl.  

./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_cert_filename

6.  Cycle tomcat and WebTomcat.

$SPECROOT/tomcat/bin/stopTomcat.sh

$SPECROOT/webtomcat/bin/stopWebTomcat.sh

$SPECROOT/tomcat/bin/startTomcat.sh

$SPECROOT/webtomcat/bin/startWebTomcat.sh

Additional Information

If at any point keytool tells you the keystore has been tampered with and is corrupt; you likely have the wrong password.  

If you need to start over from scratch, copy the $SPECROOT/Java/jre/lib/security/cacerts to the $SPECROOT/custom/keystore folder and generate the private key again with the tomcatssl alias.