Our SSL Entrust Certificate Authority signed certificate is about to expire and I need to update it. What's the process for updating the tomcatssl alias in the keystore?
Cert is about to expire or has expired.
Release : 20.2.x
Component : SPCOCK - Spectrum OneClick
You need to delete the alias from the keystore and then generate a new cert request, send to the CA, and then import the cert they send back:
Be sure to replace $SPECROOT with the actual path:
1. Make a backup copy of your $SPECROOT/custom/keystore/cacerts file.
2. Delete the tomcatssl alias from the keystore - navigate to $SPECROOT/java/bin:
./keytool -delete -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts
3. Generate the private key:
./keytool -genkey -alias tomcatssl -keyalg RSA -keysize 2048 -ext SAN=dns:oneclick -keystore $SPECROOT/custom/keystore/cacerts
Be sure to replace the SAN as needed and do NOT convert it to pkcs12 as noted when done.
4. Generate the cert request:
./keytool -certreq -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -file filename.csr
5. Send to the CA
6. See if you can get .p7b file from them as it contains the chain and publie/entity cert.
7. Import the cert:
./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_cert_filename
8. Cycle tomcat.
If at any point keytool tells you the keystore has been tampered with and is corrupt, you can start over. Just copy the $SPECROOT/Java/jre/lib/security/cacerts to the $SPECROOT/custom/keystore folder and generate the private key again with the tomcatssl alias.