Renewing Tomcat SSL certificates

Following Greg’s advice, as well as the Tomcat docs here are the steps I’ve performed to update the SSL certificates used by two Tomcat instances:

  1. Backup the existing keystore file, just in case..
  2. Generate a new certificate, with new alias
    E:\Tomcat\conf> %java_home%\bin\keytool -genkey -keystore mytomcatserver.keystore -storepass ############ -alias tomcat2013 -keyalg RSA -keysize 2048  -dname "CN=mytomcatserver.uvm.edu, OU=Enterprise Technology Services, O=University of Vermont, L=Burlington, ST=VT, C=US" -validity 730
  3. Create a certificate signing request for that cert
    E:\Tomcat\conf> %java_home%\bin\keytool -certreq -keystore mytomcatserver.keystore -storepass ############ -keyalg RSA -alias tomcat2013 -file mytomcatserver.csr
  4. process the CSR with our CA

Now, there are two options for importing the certificate, and I’m not sure if there are implications for the difference:

  1. Import the rootCA cert first, then the intermediate CA, then the actual server
  2. Import the three certificates together as a chained cert. The order of the certificates in the certificate file appears significant; our signing authority provides the chained cert with the RootCA first, which hides the other certs from the Windows cert viewer, among other things.

To import the chained cert (ordered with the host cert, interm. cert, then rootCA cert):

E:\Tomcat\conf> %java_home%\bin\keytool -import -keystore mytomcatserver.keystore -storepass ############ -alias tomcat2013 -file mytomcatserver_uvm_edu.cer -trustcacerts

Now, we need to update the tomcat server.xml so that the keyalias attribute references our new certificate’s alias. Then, when the tomcat process is cycled, it should use the new cert.

Geoff
Sr. System Administrator at the University of Vermont

1 Comment

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.