After updating the HTTPS certificate, my browser still shows the old certificate
search cancel

After updating the HTTPS certificate, my browser still shows the old certificate

book

Article ID: 261544

calendar_today

Updated On:

Products

DX NetOps CA Spectrum CA Performance Management - Usage and Administration

Issue/Introduction

After updating the HTTPS certificate successfully, my browser still shows the old certificate, why?

Environment

All supported releases

Cause

The updated certificate was not imported on top of the current certificate overwriting it but was imported alongside it due to a different alias being used.

Take this scenario:

In the keystore you have your existing cert that is tied to a private key:

tomcatssl1, Dec 15, 2022, PrivateKeyEntry

You then go through the process of a CSR and import the resultant certificate but choose an alias of tomcatssl which results in

tomcatssl, Mar 8, 2023, TrustedCertEntry

tomcatssl1, Dec 15, 2022, PrivateKeyEntry

The server will continue to use tomcatssl1 as it is the one linked to the private key.

Resolution

To fix the above scenario one would:

1. Make a backup of the existing cacerts keystore:

cp /usr/Spectrum/custom/keystore/cacerts /usr/Spectrum/custom/keystore/cacerts.bak

2. Delete the incorrect alias (NOT THE PrivateKeyEntry item)

/usr/Spectrum/Java/bin/keytool -delete -keystore /usr/Spectrum/custom/keystore/cacerts -alias tomcatssl -storepass changeit

3. Using the certificate provided from your certificate authority, reimport it into the keystore specifying the correct alias

/usr/Spectrum/Java/bin/keytool -import -keystore /usr/Spectrum/custom/keystore/cacerts -alias tomcatssl1 -storepass changeit -file /path/to/ca_signed/cert.cert

4. Restart services