Updating renewed SSL certificate in Spectrum

book

Article ID: 206278

calendar_today

Updated On:

Products

CA Spectrum

Issue/Introduction

Our SSL Entrust Certificate Authority signed certificate is about to expire and I need to update it.  What's the process for updating the tomcatssl alias in the keystore?  We have a cert that is going to expire and we need to update it in Spectrum OneClick and Webapp.  What is the process to get the new certificate applied?

Cause

Cert is about to expire or has expired.

Environment

Release : 20.2.x

Component : SPCOCK - Spectrum OneClick

Resolution

You need to delete the alias from the keystore and then generate a new cert request, send to the CA, and then import the cert they send back:

Be sure to replace $SPECROOT with the actual path:

1.  Make a backup copy of your $SPECROOT/custom/keystore/cacerts file.
2.  Delete the tomcatssl alias from the keystore - navigate to $SPECROOT/java/bin:
./keytool -delete -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts
3.  Generate the private key:
./keytool -genkey -alias tomcatssl -keyalg RSA -keysize 2048 -ext SAN=dns:oneclick -keystore $SPECROOT/custom/keystore/cacerts

Be sure to replace the SAN as needed and do NOT convert it to pkcs12 as noted when done.

4.  Generate the cert request:
  ./keytool -certreq -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -file filename.csr

5.  Send to the CA
6.  See if you can get .p7b file from them as it contains the chain - root and intermediate cert and public/entity cert.
7.  Import the cert:
./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_cert_filename

8.  Cycle tomcat.

9.  Cycle WebTomcat - WebTomcat will automatically pick up the change as it uses the same keystore.

Additional Information


If at any point keytool tells you the keystore has been tampered with and is corrupt, you can start over.  Just copy the $SPECROOT/Java/jre/lib/security/cacerts to the $SPECROOT/custom/keystore folder and generate the private key again with the tomcatssl alias.