Tomcat and Updating an SSL Certificate

Hello Everyone,

I am currently having an issue with updating one of my sites with a new SSL Certificate. It's a wildcard cert. I've installed and updated all of my other servers with it, except, this server running Tomcat (It's a Windows 2008 Server). I've gotten to the point where I used the keytool command to convert the .pfx to .jks and added it to the keystore, then updated the server.xml file. When I start tomcat after the changes, Tomcat starts fine, but I still get the SSL security risk error when I go to the webpage and it's still referencing the old cert. Would anyone be able to help me get through this one? Below are the steps that I took:

-Stopped Tomcat

-Copied the Keystore folder to the desktop and put the .pfx file in it (so I wasn't working in the real directory

-Ran the following commands:

C:\Program Files (x86)\Java\jre7\bin>keytool.exe -importkeystore -srckeystore C:
\Users\administrator.ADMINISTRATION\Desktop\Keystore\Star_Cert_Export.pfx -srcst
oretype pkcs12 -destkeystore C:\Users\administrator.ADMINISTRATION\Desktop\Keyst
ore\star_org.jks -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias le-27b41009-6912-4cde-9f47-752882517881 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or
cancelled

-Then I took the .jks that was made and moved it in the real keystore folder

-Then edited the server.xml file (The first one was the original xml and in bold is the excerpt from the new .xml changes I made (I removed the alias because I didn't define one):


!!!Original XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystorealias="site.org"
               keystoreFile="D:/fsc/Keystore/gltech_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />  


!!!New XML EXCERPT!!!
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="443"
               maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoretype="jks"
               keystoreFile="D:/fsc/Keystore/star_domain_org.jks" keystorePass="***"
               URIEncoding="UTF-8"
               compression="on"
               compressionMinSize="2048"
               noCompressionUserAgents="gozilla, traviata"
               compressableMimeType="text/html,text/xml,text/javascript,text/css" />

-Turned Tomcat back on

-Went to site, and still referencing old Cert


Any help you guys can give me would be awesome! Thanks in advance!!!
WindhamSDAsked:
Who is Participating?
 
btanExec ConsultantCommented:
The Alias is more virtual host name that is configured as a separate Host element in server.xml, each with its own set of web applications. From the "how-to", a common use case for this scenario is a corporate web site, where it is desirable that users be able to utilize either www.mycompany.com or company.com to access exactly the same content and applications.

**All of the network names involved must be registered in your DNS server to resolve to the same computer that is running this instance of Catalina.

But reference back to import cert example, normally it also goes in sync when you import keys and state the alias together at the same time. And if multiple .jks are stated probably it is good to state together to avoid vagueness

e.g.

/path/to/keytool -import -alias root -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/root.cer

/path/to/keytool -import -alias tomcat -keystore /path/to/Tomcat/keystore.jks -trustcacerts -file /path/to/cert.cer
0
 
btanExec ConsultantCommented:
Looks fine though, clean up the browser cache and use another browser to see the cert presented, also the past renewal should have restarted the tomcat (net stop and net start) to see if it still prompt. The steps to be not too far off compared to the http://support.godaddy.com/help/article/5355/ssl-certificate-renewal-tomcat-4x5x6x

Can also look into the logs e.g. By default additional webapp log entries are added to CATALINA_HOME/logs/catalina.YYYY-MM-DD.log and System.out/System.err are redirected to CATALINA_HOME/logs/catalina.out.
0
 
WindhamSDAuthor Commented:
Thanks breadtan,

I'll move that file back over and see what happens. Just not too sure if I need to set an alias or not.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
WindhamSDAuthor Commented:
Thanks for that info. Learning a ton here. IIS and Apache are so much more user friendly. I wanted to get to this tonight but no luck. I hope I can get to it tomorrow. If not I'll be doing this first thing Monday. Thanks for the help so far!
0
 
WindhamSDAuthor Commented:
So you were completely correct breadtan,

What I entered was correct and it worked, however, I was only accessing the site via it's DNS name and not it's FQDN. When I access it via FQDN everything is all good! So now I'm wondering, from what you were saying about the alias's, if adding that will work. I cannot stop Tomcat right at this time due to heavy traffic on it right now, but wanted to give you the good news. Later on in the day I will try adding the alias and see how it works out.

Again, thanks for the help!
0
 
btanExec ConsultantCommented:
Appreciate your sharing. Well it is already working so let it run but better to do the testing  in staging if available. It should impact the fqdn part as eventually the whatever the web server received it it still needs to translate and mapped back, maybe just to make it an friendly name instead
0
 
WindhamSDAuthor Commented:
Thanks again!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.