After updating the HTTPS certificate, my browser still shows the old certificate
search cancel

After updating the HTTPS certificate, my browser still shows the old certificate

book

Article ID: 261544

calendar_today

Updated On:

Products

Network Observability Spectrum CA Performance Management

Issue/Introduction

After updating the HTTPS certificate successfully, my browser still shows the old certificate, why?

Environment

All supported releases

Cause

Scenario 1:

The updated certificate was not imported on top of the current certificate overwriting it but was imported alongside it due to a different alias being used.

Take this scenario:

In the keystore you have your existing cert that is tied to a private key:

tomcatssl1, Dec 15, 2022, PrivateKeyEntry

You then go through the process of a CSR and import the resultant certificate but choose an alias of tomcatssl which results in

tomcatssl, Mar 8, 2023, TrustedCertEntry

tomcatssl1, Dec 15, 2022, PrivateKeyEntry

The server will continue to use tomcatssl1 as it is the one linked to the private key.

Scenario2:

You imported  a new key and certificate and this is listed after the old certificate in the list:

tomcatssl, Mar 8, 2022, PrivateKeyEntry     # OLD

tomcatssl1, Dec 15, 2022, PrivateKeyEntry  # NEW

The server will use the first keypair it finds in the keystore.


Resolution

To fix the above scenario one would:

1. Make a backup of the existing cacerts keystore:

cp /usr/Spectrum/custom/keystore/cacerts /usr/Spectrum/custom/keystore/cacerts.bak

2. Delete the incorrect alias:

   a) If Scenario 1:

         1) Delete the incorrectly imported certificate (TrustedCertEntry). Example:

               $SPECROOT/Java/bin/keytool -delete -keystore  $SPECROOT/custom/keystore/cacerts -alias tomcatssl -storepass <password>

         2)  Using the certificate provided from your certificate authority, reimport it into the keystore specifying the correct alias

                $SPECROOTJava/bin/keytool -import -keystore $SPECROOT/custom/keystore/cacerts -alias tomcatssl1 -storepass <password>-file /path/to/ca_signed/cert.cert

   b) If Scenario 2

          1)  Delete the old KeyPair( (OLD PrivateKeyEntr). Example:

               $SPECROOT/Java/bin/keytool -delete -keystore  $SPECROOT/custom/keystore/cacerts -alias tomcatssl -storepass <password>

        2) If you added keyalias="<alias>" to the $SPECROOT/{tomcat,webcomcat}/conf/server.xml files, remove it.

3. Stop/start the tomcat and webtomcat services.

    a) Windows

        Stop and start the  SpectrumTOmcat and SpectrumWebTomcat services 

   b) Linux

       cd $SPECROOT/tomcat/bin
       ./stopTomcat.sh
       ./startTomcat.sh

        cd $SPECROOT/tomcat/bin
       ./stopWebTomcat.sh
       ./startWebTomcat.sh