0

There are a lot of docs out there about installing a certificate to Tomcat, but are there instructions on how to renew/update a certificate? For instance, when I try to follow the instructions in tomcat docs, I get the following:

keytool -import -alias root -keystore keystore.pkcs12 -trustcacerts -file ~/tempCerts/gd_bundle-g2-g1.crt 
Enter keystore password:  
keytool error: java.lang.Exception: Certificate not imported, alias <root> already exists

So do I need to first remove the "root" alias before I can do this, or should I choose other methods for renewing the certificate? Or is there another way to renew/update the certificate?

To repeat, I am NOT talking about the initial installation/importation of the certificate, which is well documented. I am talking about the renewal/update of the certificate.

OS: CentOS Linux release 7.6.1810 (Core)

Tomcat: 8.5.37

Java: OpenJDK Runtime Environment (build 1.8.0_212-b04), OpenJDK 64-Bit Server VM (build 25.212-b04, mixed mode)

Tony B
  • 254
  • 2
  • 12

1 Answers1

1

OK, through much trial and error, this is what I found. References at the end of articles and posts that helped me. This is for GoDaddy, but I suppose something similar would work for other providers.

GoDaddy gave me the following files:

-rw-rw-r--. 1 wmsodbc wmsV9 1728 Jul 14 09:20 gdig2.crt.pem
-rw-rw-r--. 1 wmsodbc wmsV9 4795 Jul 14 09:20 gd_bundle-g2-g1.crt
-rw-rw-r--. 1 wmsodbc wmsV9 2403 Jul 14 09:20 ddd1343aff339165.pem
-rw-rw-r--. 1 wmsodbc wmsV9 2403 Jul 14 09:20 ddd1343aff339165.crt

In looking online, I know that gdig2 file is the intermediate certificate and bundle has the root and the intermediate certificates. This post suggected breaking out the root and intermediate certificates, but it was easier to just go to godaddy repository and download the root certificate using curl https://ssl-ccp.godaddy.com/repository/gdroot-g2.crt > gdroot-g2.crt.

Steps:

  1. Make copy of current keystore, called keystore.2020Renewal below
  2. Remove root alias with sudo keytool -storepass <password> -delete -alias root -keystore keystore.2020Renewal
  3. Remove intermed alias with sudo keytool -storepass changeit -delete -alias intermed -keystore keystore.2020Renewal
  4. Import root using sudo keytool -storepass <password> -import -alias root -keystore keystore.2020Renewal -trustcacerts -file ~/tempCerts/gdroot-g2.crt
  5. Import intermediate using sudo keytool -storepass <password> -import -alias intermed -keystore keystore.2020Renewal -trustcacerts -file ~/tempCerts/gdig2.crt.pem
  6. Import main certificate using sudo keytool -import -alias tomcat -keystore keystore.2020Renewal -storepass <password> -file ~/tempCerts/ddd1343aff339165.crt
  7. Change server.xml to use this new keystore
  8. Restart tomcat to make sure changes take effect

The last time I did this, I think I did something similar. So this should work with at least a few tomcat related SSL renewal situations.

Tomcat reference (partially useless since they don't handle "renewal", only initial setup, but decent starting point)

Update 2022: I was able to follow the above steps again, with success. Based on another posting, I did try to keytool -delete -alias tomcat -keystore <keystore copy> (after step 3 above), but the resulting keystore when I imported the root, intermed, and new certificate was smaller, and did not work. Basically, I had two copies of the key store, one where I removed root, intermed, and tomcat, and then imported the new ones in the proper order. The other where I followed the directions above. This second one worked without any problem, the first one kept giving me HTTP 401 errors in the access logs. So, in conclusion, in theory following the above directions will still work, as of 2022.

Tony B
  • 254
  • 2
  • 12