After updating the HTTPS certificate successfully, my browser still shows the old certificate, why?
All supported releases
The updated certificate was not imported on top of the current certificate overwriting it but was imported alongside it due to a different alias being used.
Take this scenario:
In the keystore you have your existing cert that is tied to a private key:
tomcatssl1, Dec 15, 2022, PrivateKeyEntry
You then go through the process of a CSR and import the resultant certificate but choose an alias of tomcatssl which results in
tomcatssl, Mar 8, 2023, TrustedCertEntry
tomcatssl1, Dec 15, 2022, PrivateKeyEntry
The server will continue to use tomcatssl1 as it is the one linked to the private key.
To fix the above scenario one would:
1. Make a backup of the existing cacerts keystore:
cp /usr/Spectrum/custom/keystore/cacerts /usr/Spectrum/custom/keystore/cacerts.bak
2. Delete the incorrect alias (NOT THE PrivateKeyEntry item)
/usr/Spectrum/Java/bin/keytool -delete -keystore /usr/Spectrum/custom/keystore/cacerts -alias tomcatssl -storepass changeit
3. Using the certificate provided from your certificate authority, reimport it into the keystore specifying the correct alias
/usr/Spectrum/Java/bin/keytool -import -keystore /usr/Spectrum/custom/keystore/cacerts -alias tomcatssl1 -storepass changeit -file /path/to/ca_signed/cert.cert
4. Restart services