Solved

Tomcat and Updating an SSL Certificate

Posted on 2014-03-14
7
1,322 Views
Last Modified: 2014-03-17
Hello Everyone,

I am currently having an issue with updating one of my sites with a new SSL Certificate. It's a wildcard cert. I've installed and updated all of my other servers with it, except, this server running Tomcat (It's a Windows 2008 Server). I've gotten to the point where I used the keytool command to convert the .pfx to .jks and added it to the keystore, then updated the server.xml file. When I start tomcat after the changes, Tomcat starts fine, but I still get the SSL security risk error when I go to the webpage and it's still referencing the old cert. Would anyone be able to help me get through this one? Below are the steps that I took:

-Stopped Tomcat

-Copied the Keystore folder to the desktop and put the .pfx file in it (so I wasn't working in the real directory

-Ran the following commands:

C:\Program Files (x86)\Java\jre7\bin>keytool.exe -importkeystore -srckeystore C:
\Users\administrator.ADMINISTRATION\Desktop\Keystore\Star_Cert_Export.pfx -srcst
oretype pkcs12 -destkeystore C:\Users\administrator.ADMINISTRATION\Desktop\Keyst
ore\star_org.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias le-27b41009-6912-4cde-9f47-752882517881 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or
cancelled

-Then I took the .jks that was made and moved it in the real keystore folder

-Then edited the server.xml file (The first one was the original xml and in bold is the excerpt from the new .xml changes I made (I removed the alias because I didn't define one):


!!!Original XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystorealias="site.org"
               keystoreFile="D:/fsc/Keystore/gltech_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />  


!!!New XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystoreFile="D:/fsc/Keystore/star_domain_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />

-Turned Tomcat back on

-Went to site, and still referencing old Cert


Any help you guys can give me would be awesome! Thanks in advance!!!
0
Comment
Question by:WindhamSD
  • 4
  • 3
7 Comments
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39931004
Looks fine though, clean up the browser cache and use another browser to see the cert presented, also the past renewal should have restarted the tomcat (net stop and net start) to see if it still prompt. The steps to be not too far off compared to the http://support.godaddy.com/help/article/5355/ssl-certificate-renewal-tomcat-4x5x6x

Can also look into the logs e.g. By default additional webapp log entries are added to CATALINA_HOME/logs/catalina.YYYY-MM-DD.log and System.out/System.err are redirected to CATALINA_HOME/logs/catalina.out.
0
 

Author Comment

by:WindhamSD
ID: 39931803
Thanks breadtan,

I'll move that file back over and see what happens. Just not too sure if I need to set an alias or not.
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39931979
The Alias is more virtual host name that is configured as a separate Host element in server.xml, each with its own set of web applications. From the "how-to", a common use case for this scenario is a corporate web site, where it is desirable that users be able to utilize either www.mycompany.com or company.com to access exactly the same content and applications.

**All of the network names involved must be registered in your DNS server to resolve to the same computer that is running this instance of Catalina.

But reference back to import cert example, normally it also goes in sync when you import keys and state the alias together at the same time. And if multiple .jks are stated probably it is good to state together to avoid vagueness

e.g.

/path/to/keytool -import -alias root -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/root.cer

/path/to/keytool -import -alias tomcat -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/cert.cer
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:WindhamSD
ID: 39932186
Thanks for that info. Learning a ton here. IIS and Apache are so much more user friendly. I wanted to get to this tonight but no luck. I hope I can get to it tomorrow. If not I'll be doing this first thing Monday. Thanks for the help so far!
0
 

Author Comment

by:WindhamSD
ID: 39934332
So you were completely correct breadtan,

What I entered was correct and it worked, however, I was only accessing the site via it's DNS name and not it's FQDN. When I access it via FQDN everything is all good! So now I'm wondering, from what you were saying about the alias's, if adding that will work. I cannot stop Tomcat right at this time due to heavy traffic on it right now, but wanted to give you the good news. Later on in the day I will try adding the alias and see how it works out.

Again, thanks for the help!
0
 
LVL 62

Expert Comment

by:btan
ID: 39934351
Appreciate your sharing. Well it is already working so let it run but better to do the testing  in staging if available. It should impact the fqdn part as eventually the whatever the web server received it it still needs to translate and mapped back, maybe just to make it an friendly name instead
0
 

Author Closing Comment

by:WindhamSD
ID: 39934362
Thanks again!
0

Featured Post

Live: Real-Time Solutions, Start Here

Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It is possible to boost certain documents at query time in Solr. Query time boosting can be a powerful resource for finding the most relevant and "best" content. Of course the more information you index, the more fields you will be able to use for y…
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now