Updating renewed SSL certificate in Spectrum


Article ID: 206278


Updated On:


CA Spectrum


Our SSL Entrust Certificate Authority signed certificate is about to expire and I need to update it.  What's the process for updating the tomcatssl alias in the keystore?


Cert is about to expire or has expired.


Release : 20.2.x

Component : SPCOCK - Spectrum OneClick


You need to delete the alias from the keystore and then generate a new cert request, send to the CA, and then import the cert they send back:

Be sure to replace $SPECROOT with the actual path:

1.  Make a backup copy of your $SPECROOT/custom/keystore/cacerts file.
2.  Delete the tomcatssl alias from the keystore - navigate to $SPECROOT/java/bin:
./keytool -delete -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts
3.  Generate the private key:
./keytool -genkey -alias tomcatssl -keyalg RSA -keysize 2048 -ext SAN=dns:oneclick -keystore $SPECROOT/custom/keystore/cacerts

Be sure to replace the SAN as needed and do NOT convert it to pkcs12 as noted when done.

4.  Generate the cert request:
  ./keytool -certreq -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -file filename.csr

5.  Send to the CA
6.  See if you can get .p7b file from them as it contains the chain and publie/entity cert.
7.  Import the cert:
./keytool -import -alias tomcatssl -keystore $SPECROOT/custom/keystore/cacerts -trustcacerts -file your_cert_filename

8.  Cycle tomcat.

Additional Information

If at any point keytool tells you the keystore has been tampered with and is corrupt, you can start over.  Just copy the $SPECROOT/Java/jre/lib/security/cacerts to the $SPECROOT/custom/keystore folder and generate the private key again with the tomcatssl alias.