Web Viewer Apache Tomcat SSL certificate update steps
search cancel

Web Viewer Apache Tomcat SSL certificate update steps


Article ID: 235845


Updated On:


Output Management Web Viewer


Need the instructions for installing a new certificate into Web Viewer Apache Tomcat as the current one is due to expire.


Release : 12.1


Apache Tomcat


Required steps:
 - Generate a new private key in a new keystore file.
 - Generate a new CSR (Certificate Signing Request) .csr file from the new keystore to send to Certificate Authority (CA) e.g. DigiCert
 - CA responds with root certificate.
 - Import root certificate and any other required certificates into the new keystore file.
 - Backup the current keystore file. To find the current keystore file if the Tomcat server.xml file SSL connector port section has no keystoreFile parameter set, then Tomcat looks for a file named .keystore in the home directory with the default password "changeit": https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
 - Shutdown Tomcat.
 - Implement the new keystore file. If the Tomcat server.xml file SSL connector port section has no keystoreFile parameter set it is suggested to add it so that the location of the new keystore file is clear. Also need to add keyAlias="alias" to the same section to avoid error "java.io.IOException: Alias name [null] does not identify a key entry" (Running "keytool -list -v" on the keystore file will show the alias of the machine's certificate). That is also per the Web Viewer doc page: Configure Tomcat for TLS > Configure Tomcat
 - Restart Tomcat.

Additional Information

1. The basic command to create a private key:
keytool -genkey -keyalg RSA -alias tomcat -keystore tomcatNew.jks -storepass tomcat  -keysize 4096 -validity 730

a) Check with CA to verify if they allow the key size to be 4096 bits
b) Check with CA if they allow a two year (730 days) certificate

After type the above command, the following values will be prompted for. To help knowing what values to enter this command on previous keystore will show what was entered to create that file: keytool -v -list -keystore yourOldKeystore.jks.
Answer the questions
What is your first and last name?
  [Unknown]:  First Name Last Name
What is the name of your organizational unit?
  [Unknown]:  askYourCA
What is the name of your organization?
  [Unknown]:  askYourCA
What is the name of your City or Locality?
  [Unknown]:  askYourCA
What is the name of your State or Province?
  [Unknown]:  Your State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=First Name Last Name OU=askYourCA, O=askYourCA, L=askYourCA, ST=Your State, C=US correct?
  [no]:  yes

2. The basic command to generate a Certificate Signing Request (CSR) from the new keystore:
keytool -certreq -alias tomcat -file csr.txt -keystore tomcatNew.jks

3. Third party references:
Apache Tomcat 9 > SSL/TLS Configuration How-To > Installing a Certificate from a Certificate Authority
DigCert > Tomcat: Create CSR & Install SSL/TLS Certificate (Keytool)