Solved

Tomcat and Updating an SSL Certificate

Posted on 2014-03-14
7
1,347 Views
Last Modified: 2014-03-17
Hello Everyone,

I am currently having an issue with updating one of my sites with a new SSL Certificate. It's a wildcard cert. I've installed and updated all of my other servers with it, except, this server running Tomcat (It's a Windows 2008 Server). I've gotten to the point where I used the keytool command to convert the .pfx to .jks and added it to the keystore, then updated the server.xml file. When I start tomcat after the changes, Tomcat starts fine, but I still get the SSL security risk error when I go to the webpage and it's still referencing the old cert. Would anyone be able to help me get through this one? Below are the steps that I took:

-Stopped Tomcat

-Copied the Keystore folder to the desktop and put the .pfx file in it (so I wasn't working in the real directory

-Ran the following commands:

C:\Program Files (x86)\Java\jre7\bin>keytool.exe -importkeystore -srckeystore C:
\Users\administrator.ADMINISTRATION\Desktop\Keystore\Star_Cert_Export.pfx -srcst
oretype pkcs12 -destkeystore C:\Users\administrator.ADMINISTRATION\Desktop\Keyst
ore\star_org.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias le-27b41009-6912-4cde-9f47-752882517881 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or
cancelled

-Then I took the .jks that was made and moved it in the real keystore folder

-Then edited the server.xml file (The first one was the original xml and in bold is the excerpt from the new .xml changes I made (I removed the alias because I didn't define one):


!!!Original XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystorealias="site.org"
               keystoreFile="D:/fsc/Keystore/gltech_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />  


!!!New XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystoreFile="D:/fsc/Keystore/star_domain_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />

-Turned Tomcat back on

-Went to site, and still referencing old Cert


Any help you guys can give me would be awesome! Thanks in advance!!!
0
Comment
Question by:WindhamSD
  • 4
  • 3
7 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39931004
Looks fine though, clean up the browser cache and use another browser to see the cert presented, also the past renewal should have restarted the tomcat (net stop and net start) to see if it still prompt. The steps to be not too far off compared to the http://support.godaddy.com/help/article/5355/ssl-certificate-renewal-tomcat-4x5x6x

Can also look into the logs e.g. By default additional webapp log entries are added to CATALINA_HOME/logs/catalina.YYYY-MM-DD.log and System.out/System.err are redirected to CATALINA_HOME/logs/catalina.out.
0
 

Author Comment

by:WindhamSD
ID: 39931803
Thanks breadtan,

I'll move that file back over and see what happens. Just not too sure if I need to set an alias or not.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39931979
The Alias is more virtual host name that is configured as a separate Host element in server.xml, each with its own set of web applications. From the "how-to", a common use case for this scenario is a corporate web site, where it is desirable that users be able to utilize either www.mycompany.com or company.com to access exactly the same content and applications.

**All of the network names involved must be registered in your DNS server to resolve to the same computer that is running this instance of Catalina.

But reference back to import cert example, normally it also goes in sync when you import keys and state the alias together at the same time. And if multiple .jks are stated probably it is good to state together to avoid vagueness

e.g.

/path/to/keytool -import -alias root -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/root.cer

/path/to/keytool -import -alias tomcat -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/cert.cer
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:WindhamSD
ID: 39932186
Thanks for that info. Learning a ton here. IIS and Apache are so much more user friendly. I wanted to get to this tonight but no luck. I hope I can get to it tomorrow. If not I'll be doing this first thing Monday. Thanks for the help so far!
0
 

Author Comment

by:WindhamSD
ID: 39934332
So you were completely correct breadtan,

What I entered was correct and it worked, however, I was only accessing the site via it's DNS name and not it's FQDN. When I access it via FQDN everything is all good! So now I'm wondering, from what you were saying about the alias's, if adding that will work. I cannot stop Tomcat right at this time due to heavy traffic on it right now, but wanted to give you the good news. Later on in the day I will try adding the alias and see how it works out.

Again, thanks for the help!
0
 
LVL 63

Expert Comment

by:btan
ID: 39934351
Appreciate your sharing. Well it is already working so let it run but better to do the testing  in staging if available. It should impact the fqdn part as eventually the whatever the web server received it it still needs to translate and mapped back, maybe just to make it an friendly name instead
0
 

Author Closing Comment

by:WindhamSD
ID: 39934362
Thanks again!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question