allenmorris Absent Member.
Absent Member.
1204 views

updating tomcat keystore on SSPR 3.3

Hello,

I am attempting to renew my tomcat SSL certs on a SLes 12 server running for Mirco Focus SSPR 3.3.

Our existing keystone file has the configuration in which includes the root certificate, an intermed certificate and a "key pair" called tomcat. This "key pair" has a Hierarchy structure which has all three certificates the root, the intermed, and the server URL cert.

https://www.dropbox.com/s/pqn8no447m7iol0/existingCert.JPG?dl=0

I have not been able to recreate this key paired entry in my attempts to renew the keystore file. The best I've been able to accomplish all three certificates in the keystore, no "key pair" entry.

https://www.dropbox.com/s/zatsa8shbdt3rya/myAttempts.JPG?dl=0

I have been using openSSL, the original CSR file and the files I received from Godaddy, which are the root, intermed, and server certificates, but have not found a way to create this key pair.

https://www.dropbox.com/s/f9a21gqmj0uz59e/goDaddyCerts.JPG?dl=0

It seems this "key pair" is necessary, because using the keystore I created from just the three certificates, does not work.

Any suggestions would be appreciated.

Many thanks,

Allen
0 Likes
2 Replies
allenmorris Absent Member.
Absent Member.

Re: updating tomcat keystore on SSPR 3.3

Thanks everyone for checking out my question.

I've moved on and installed the SSPR 4.3 virtual application.

Now just looking for the process to create a CSR, so I can get third party certificates.

Many thanks!

Allen
0 Likes
Knowledge Partner
Knowledge Partner

Re: updating tomcat keystore on SSPR 3.3

allenmorris;2488307 wrote:
Hello,

I am attempting to renew my tomcat SSL certs on a SLes 12 server running for Mirco Focus SSPR 3.3.

Our existing keystone file has the configuration in which includes the root certificate, an intermed certificate and a "key pair" called tomcat. This "key pair" has a Hierarchy structure which has all three certificates the root, the intermed, and the server URL cert.

https://www.dropbox.com/s/pqn8no447m7iol0/existingCert.JPG?dl=0

I have not been able to recreate this key paired entry in my attempts to renew the keystore file. The best I've been able to accomplish all three certificates in the keystore, no "key pair" entry.

https://www.dropbox.com/s/zatsa8shbdt3rya/myAttempts.JPG?dl=0

I have been using openSSL, the original CSR file and the files I received from Godaddy, which are the root, intermed, and server certificates, but have not found a way to create this key pair.

https://www.dropbox.com/s/f9a21gqmj0uz59e/goDaddyCerts.JPG?dl=0

It seems this "key pair" is necessary, because using the keystore I created from just the three certificates, does not work.

Any suggestions would be appreciated.

Many thanks,

Allen


The keypair "tomcat" is the actual certificate, private and public key, if I've understood your question correctly. The rest is the chain of trust back to the root CA that signed it.

Exactly what did you do to create the CSR that GoDaddy signed?

You probably should have done something like:


keytool -genkey -alias newtomcat -keyalg RSA -keystore /path/to/tomcat/conf/keystore


Find the Tomcat keystore in the server.xml file. Or create a new one if you prefer.

then:


keytool -certreq -keyalg RSA -alias newtomcat -file newtomcat.csr -keystore /path/to/tomcat/conf/keystore


Then you send the CSR off to GoDaddy, and they reply with the signed certificate, their public key (root) and one or more intermediates.

Then you import the results in to the tomcat keystore with something like:


keytool -import -alias root -keystore /path/to/tomcat/conf/keystore -trustcacerts -file /path/to/the/root_certificate

keytool -import -alias intermediate -keystore /path/to/tomcat/conf/keystore -trustcacerts -file /path/to/the/intermediate_certificate

keytool -import -alias newtomcat -keystore /path/to/tomcat/conf/keystore -file /path/to/cert_from_godaddy


Then, in server.xml, you tell tomcat what to use by keystore and alias.

That's just SSL configuration for tomcat. You may also need to get this cert in to SSPR as well if you're using OSP in front of it, possibly in to the JRE cacerts as well.

I've done this, just not recently enough to have it all exactly right. It should be close, though. Make sure you're using the right keytool, there may be more than one on your system.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.