Solved

Tomcat and Updating an SSL Certificate

Posted on 2014-03-14
7
1,400 Views
Last Modified: 2014-03-17
Hello Everyone,

I am currently having an issue with updating one of my sites with a new SSL Certificate. It's a wildcard cert. I've installed and updated all of my other servers with it, except, this server running Tomcat (It's a Windows 2008 Server). I've gotten to the point where I used the keytool command to convert the .pfx to .jks and added it to the keystore, then updated the server.xml file. When I start tomcat after the changes, Tomcat starts fine, but I still get the SSL security risk error when I go to the webpage and it's still referencing the old cert. Would anyone be able to help me get through this one? Below are the steps that I took:

-Stopped Tomcat

-Copied the Keystore folder to the desktop and put the .pfx file in it (so I wasn't working in the real directory

-Ran the following commands:

C:\Program Files (x86)\Java\jre7\bin>keytool.exe -importkeystore -srckeystore C:
\Users\administrator.ADMINISTRATION\Desktop\Keystore\Star_Cert_Export.pfx -srcst
oretype pkcs12 -destkeystore C:\Users\administrator.ADMINISTRATION\Desktop\Keyst
ore\star_org.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias le-27b41009-6912-4cde-9f47-752882517881 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or
cancelled

-Then I took the .jks that was made and moved it in the real keystore folder

-Then edited the server.xml file (The first one was the original xml and in bold is the excerpt from the new .xml changes I made (I removed the alias because I didn't define one):


!!!Original XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystorealias="site.org"
               keystoreFile="D:/fsc/Keystore/gltech_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />  


!!!New XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystoreFile="D:/fsc/Keystore/star_domain_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />

-Turned Tomcat back on

-Went to site, and still referencing old Cert


Any help you guys can give me would be awesome! Thanks in advance!!!
0
Comment
Question by:WindhamSD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 63

Assisted Solution

by:btan
btan earned 500 total points
ID: 39931004
Looks fine though, clean up the browser cache and use another browser to see the cert presented, also the past renewal should have restarted the tomcat (net stop and net start) to see if it still prompt. The steps to be not too far off compared to the http://support.godaddy.com/help/article/5355/ssl-certificate-renewal-tomcat-4x5x6x

Can also look into the logs e.g. By default additional webapp log entries are added to CATALINA_HOME/logs/catalina.YYYY-MM-DD.log and System.out/System.err are redirected to CATALINA_HOME/logs/catalina.out.
0
 

Author Comment

by:WindhamSD
ID: 39931803
Thanks breadtan,

I'll move that file back over and see what happens. Just not too sure if I need to set an alias or not.
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 39931979
The Alias is more virtual host name that is configured as a separate Host element in server.xml, each with its own set of web applications. From the "how-to", a common use case for this scenario is a corporate web site, where it is desirable that users be able to utilize either www.mycompany.com or company.com to access exactly the same content and applications.

**All of the network names involved must be registered in your DNS server to resolve to the same computer that is running this instance of Catalina.

But reference back to import cert example, normally it also goes in sync when you import keys and state the alias together at the same time. And if multiple .jks are stated probably it is good to state together to avoid vagueness

e.g.

/path/to/keytool -import -alias root -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/root.cer

/path/to/keytool -import -alias tomcat -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/cert.cer
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:WindhamSD
ID: 39932186
Thanks for that info. Learning a ton here. IIS and Apache are so much more user friendly. I wanted to get to this tonight but no luck. I hope I can get to it tomorrow. If not I'll be doing this first thing Monday. Thanks for the help so far!
0
 

Author Comment

by:WindhamSD
ID: 39934332
So you were completely correct breadtan,

What I entered was correct and it worked, however, I was only accessing the site via it's DNS name and not it's FQDN. When I access it via FQDN everything is all good! So now I'm wondering, from what you were saying about the alias's, if adding that will work. I cannot stop Tomcat right at this time due to heavy traffic on it right now, but wanted to give you the good news. Later on in the day I will try adding the alias and see how it works out.

Again, thanks for the help!
0
 
LVL 63

Expert Comment

by:btan
ID: 39934351
Appreciate your sharing. Well it is already working so let it run but better to do the testing  in staging if available. It should impact the fqdn part as eventually the whatever the web server received it it still needs to translate and mapped back, maybe just to make it an friendly name instead
0
 

Author Closing Comment

by:WindhamSD
ID: 39934362
Thanks again!
0

Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Review of OCA certificate policy 1 57
SSL - A Registrar-Level Change? 4 42
Rewrite Rule head scratcher 18 49
Windows Server 2102 R2 - IIS 8.5 redirection assistance ? 7 74
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question