SSL certs do not update on single riskfort host
search cancel

SSL certs do not update on single riskfort host


Article ID: 261985


Updated On:


CA Risk Authentication


SSL certificate on riskfort is not getting updated on a single host. The host is pulling in the certificates fine but it looks like it cannot apply them to the database for some reason.


Release : CA Risk Authentication  9.1


Sometimes partner service suggested custom tool for certificate management. The new certs does not reflected in all DBs. As soon the old cert got expired, and customer start seeing errors in few RiskFort instances. You need to create new certs using Key-store explorer tool and upload again.

KeyStore Explorer can be used to create your own CA certificate and sign certificates and CRLs with it. A wide range of certificate extensions is supported, see specifications. Below steps are to generate new keypair and import CA reply using Keystore Explorer to install SSL Certificates:

  1. Download Keystore Explorer
  2. Run Keystore Explorer
  3. File>New>Choose JKS

  4. Generate a new key pair.

  5. Choose RSA and SHA256

  6. Click the name icon to enter your new certificate information.

  7. Click OK
  8. Click Add Extensions>Plus Icon
  9. Select Subject Alternative Name and click OK

  10. Click the Plus Icon>DNS Name
    Note: Due to an update in Google Chrome only the subjectAlternativeName (SAN) extension, not commonName(CN), is used to match the domain name and site certificate.

  11. Click OK
  12. Then change the alias to tomcat.

  13. Enter the Password define in KEYSTORE_PASSWORD from the keystore password section from whd.conf file.
    a. Open the whd.conf (\WebHelpDesk\conf\whd.conf)
    b. Look at the keystore password section.
    # Keystore settings (for SSL connnections)

  14. Save the file on the desktop.
    - File > Save Keystore > KEYSTORE_PASSWORD > OK
    - Filename = keystore.jks

    Right click on 'tomcat' and click Certificate Details to review and make sure all details are correct
  15. Generate the CSR
    - Right click on 'tomcat' and click Generate Certification Request.

  16. Submit the CSR to your CA provider.

  17. Once you get the CA reply, open Keystore Explorer again, browse to your keystore.jks file, then right click on tomcat, then do Import CA Reply.

  18. Browse to your certificate reply from your CA provider, then click save.

  19. Copy this keystore.jks file to the conf folder.
    Windows: C:\Program Files\WebHelpDesk\conf
    Linux: /usr/local/webhelpdesk/conf/
    MacOS: /Library/WebHelpDesk/conf

  20. Restart your application service so the new certificate will reflect riskfort.