0

I have a working Tomcat application on Centos which uses an SSL certificate which is due to expire soon.

I have created a CSR using keytool :

keytool -certreq -keyalg RSA -alias my_alias -keystore keystore.jks -file nov19.csr

Then pasted the CSR to Gandi to get a fresh SSL certificate.

However Gandi now insists that I provide a fresh (i.e. different to the last renewal) CSR.

So I understand this means I have to generate a new private/public key pair - is this correct?

How do I do this without interrupting access to the application?

Marco
  • 1,709
  • 3
  • 17
  • 31
TonyV
  • 3
  • 1

2 Answers2

0

Yes, you need to generate a new keypair.

In order to cause minimal service interruption put the keypair into a new keystore, taking care of using the same alias as before. When you have your new certificate just switch the keystore files on disk.

Tomcat will not reload the file right away. In order to trigger a reload, you need to access the Tomcat instance via JMX. If you can access the server with ssh and X forwarding, just run:

jconsole

with the credentials of the Tomcat user. You need to find on the MBeans tab a bean called something like Catalina:type=ThreadPool,name="jsse-nio-443" and execute the operation reloadSslHostConfigs.

If you can't use jconsole, there are other ways to access JMX (there is also a JMXProxy servlet in Tomcat Manager).

Piotr P. Karwasz
  • 5,748
  • 2
  • 11
  • 21
-1

The old certificate will keep working until it expires. Your new certificate will have some overlap in validity from the time you have it generated until the old certificate expires (if you create it in good time).

Effectively you will want to make the web application use the new certificate instead of the old one at a given point in time - preferably during a period with less traffic.

I'm not an expert in Tomcat and Java key stores, but I suspect you could make the web app look for a certificate with a different alias in the same key store; replace the alias pointing at the old certificate with one pointing at the new certificate in the key store; or replace the entire key store with a new one. It's likely you'll need to reload or restart the web app after making this change.

Mikael H
  • 5,031
  • 2
  • 9
  • 18