Solved

Tomcat and Updating an SSL Certificate

Posted on 2014-03-14
7
1,294 Views
Last Modified: 2014-03-17
Hello Everyone,

I am currently having an issue with updating one of my sites with a new SSL Certificate. It's a wildcard cert. I've installed and updated all of my other servers with it, except, this server running Tomcat (It's a Windows 2008 Server). I've gotten to the point where I used the keytool command to convert the .pfx to .jks and added it to the keystore, then updated the server.xml file. When I start tomcat after the changes, Tomcat starts fine, but I still get the SSL security risk error when I go to the webpage and it's still referencing the old cert. Would anyone be able to help me get through this one? Below are the steps that I took:

-Stopped Tomcat

-Copied the Keystore folder to the desktop and put the .pfx file in it (so I wasn't working in the real directory

-Ran the following commands:

C:\Program Files (x86)\Java\jre7\bin>keytool.exe -importkeystore -srckeystore C:
\Users\administrator.ADMINISTRATION\Desktop\Keystore\Star_Cert_Export.pfx -srcst
oretype pkcs12 -destkeystore C:\Users\administrator.ADMINISTRATION\Desktop\Keyst
ore\star_org.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias le-27b41009-6912-4cde-9f47-752882517881 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or
cancelled

-Then I took the .jks that was made and moved it in the real keystore folder

-Then edited the server.xml file (The first one was the original xml and in bold is the excerpt from the new .xml changes I made (I removed the alias because I didn't define one):


!!!Original XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystorealias="site.org"
               keystoreFile="D:/fsc/Keystore/gltech_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />  


!!!New XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystoreFile="D:/fsc/Keystore/star_domain_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />

-Turned Tomcat back on

-Went to site, and still referencing old Cert


Any help you guys can give me would be awesome! Thanks in advance!!!
0
Comment
Question by:WindhamSD
  • 4
  • 3
7 Comments
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39931004
Looks fine though, clean up the browser cache and use another browser to see the cert presented, also the past renewal should have restarted the tomcat (net stop and net start) to see if it still prompt. The steps to be not too far off compared to the http://support.godaddy.com/help/article/5355/ssl-certificate-renewal-tomcat-4x5x6x

Can also look into the logs e.g. By default additional webapp log entries are added to CATALINA_HOME/logs/catalina.YYYY-MM-DD.log and System.out/System.err are redirected to CATALINA_HOME/logs/catalina.out.
0
 

Author Comment

by:WindhamSD
ID: 39931803
Thanks breadtan,

I'll move that file back over and see what happens. Just not too sure if I need to set an alias or not.
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39931979
The Alias is more virtual host name that is configured as a separate Host element in server.xml, each with its own set of web applications. From the "how-to", a common use case for this scenario is a corporate web site, where it is desirable that users be able to utilize either www.mycompany.com or company.com to access exactly the same content and applications.

**All of the network names involved must be registered in your DNS server to resolve to the same computer that is running this instance of Catalina.

But reference back to import cert example, normally it also goes in sync when you import keys and state the alias together at the same time. And if multiple .jks are stated probably it is good to state together to avoid vagueness

e.g.

/path/to/keytool -import -alias root -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/root.cer

/path/to/keytool -import -alias tomcat -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/cert.cer
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:WindhamSD
ID: 39932186
Thanks for that info. Learning a ton here. IIS and Apache are so much more user friendly. I wanted to get to this tonight but no luck. I hope I can get to it tomorrow. If not I'll be doing this first thing Monday. Thanks for the help so far!
0
 

Author Comment

by:WindhamSD
ID: 39934332
So you were completely correct breadtan,

What I entered was correct and it worked, however, I was only accessing the site via it's DNS name and not it's FQDN. When I access it via FQDN everything is all good! So now I'm wondering, from what you were saying about the alias's, if adding that will work. I cannot stop Tomcat right at this time due to heavy traffic on it right now, but wanted to give you the good news. Later on in the day I will try adding the alias and see how it works out.

Again, thanks for the help!
0
 
LVL 61

Expert Comment

by:btan
ID: 39934351
Appreciate your sharing. Well it is already working so let it run but better to do the testing  in staging if available. It should impact the fqdn part as eventually the whatever the web server received it it still needs to translate and mapped back, maybe just to make it an friendly name instead
0
 

Author Closing Comment

by:WindhamSD
ID: 39934362
Thanks again!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
If you don't have the right permissions set for your WordPress location in IIS, you won't be able to perform automatic updates. Here's how to fix the problem.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now