8

About a year ago I got an SSL certificate from GoDaddy and installed it on a Tomcat server following their instructions. No issues.

The certificate is about to expire so I renewed it. GoDaddy sent me three .cer files. I can't figure out what to do with them.

If I generate a brand new keystore and try to import the files into it like I did the first time, it doesn't work. I assume this is because the new keystore doesn't have my original private key.

If I try to import the new certificates into the old file, it doesn't allow this.

If I take the old keystore and delete some or all of the old certificates and replace them with the new ones, keytool allows this, but the keystore doesn't work when I install it on my server.

I don't know what to do next.

user332000
  • 187
  • 1
  • 1
  • 9
  • 1
    Did you renew it with new keys (did you send a new CSR), or did they just re-issue a new certificate with new dates using the same public key? – Bruno May 21 '14 at 01:20
  • 1
    Initially I told it to re-issue using the original key. Later I found an option to re-key with a new CSR. After doing that, I could get it working again. I guess this is OK, just have to remember to do it next year. – user332000 May 21 '14 at 23:51

2 Answers2

5

I use a graphical tool that make very easy keystore management. It is called portecle and may be found here. When you receive a new certificate from GoDaddy, just open the keystore in portecle, select your old (about to expire) certificate, right click on it and import the new "CA reply" (i.e., your renewed certificate). Then save the keystore and restart tomcat.

eppesuig
  • 1,375
  • 2
  • 12
  • 28
  • 2
    Thanks. The tool, Portecle, is very easy to use and was of great help :) – Eric Mar 03 '15 at 15:06
  • Thanks mate . This saved me a day . Great tool :) – Mohammed shebin Nov 01 '16 at 16:27
  • @munyul The new version 1.9 isn't working for me . Getting "Could not establish trust for the CA reply" error when i Import CA reply – Mohammed shebin Apr 06 '17 at 07:22
  • @Mohammedshebin this is because the CA certificate isn't already in the keystore, or it is not trusted as a CA. – eppesuig Apr 06 '17 at 07:41
  • @eppesuig My certificate got expired yesterday. Last year , it worked following your steps. What i did now is importing that keystore which is valid . Should i generate a new csr and send to godaddy while renewing the certificate ? – Mohammed shebin Apr 06 '17 at 08:41
  • @Mohammedshebin you may use the same old CSR for asking for a new certificate. But you error message seems more like: the certificates are emitted by a CA that is not trusted in this keystore. – eppesuig Apr 06 '17 at 10:37
  • @eppesuig How can i fix this ? – Mohammed shebin Apr 06 '17 at 13:56
  • @eppesuig What should i do here ? It will be really helpful for me – Mohammed shebin Apr 07 '17 at 05:59
  • @eppesuig Worked using the following command keytool -keystore -import -alias tomcat -file -trustcacerts – Mohammed shebin Apr 07 '17 at 10:18
  • This tool is great for updating a renewd certificate also, but I had troubles to know what to update. Finally I tried this solution and it worked - do not forget to save the keystore file after processing: go to your certificate (like "tomcat"), right click and with "Import CA Reply" you can choose the .crt file (like "11f9f7b51de0fb85.crt" and the certificate has been updated. – Alex Graschitz Jan 22 '20 at 13:52
5

I use Let's encrypt certificates (free, signed). I have created a automated script to update the keystore, you can use it as inspiration or move to LE and use it as it is. More info here: http://blog.ivantichy.cz/blogpost/view/74

#!/bin/bash
#author Ivan Tichy
#Please modify these values according to your environment
certdir=/etc/letsencrypt/live/jira.ivantichy.cz/ #just replace the domain name after /live/
keytooldir=/opt/atlassian/jira/jre/bin/ #java keytool located in jre/bin
mydomain=jira.ivantichy.cz #put your domain name here
myemail=xxxxxxx@gmail.com #your email
networkdevice=eth0 #your network device  (run ifconfig to get the name)
keystoredir=/home/jira/.keystore #located in home dir of user that you Tomcat is running under - just replace jira with your user you use for Tomcat, see ps -ef to get user name if you do not know

#the script itself:
cd /var/git/letsencrypt
git pull origin master
iptables -I INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
iptables -t nat -I PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999

./letsencrypt-auto certonly --standalone --test-cert -d $mydomain --standalone-supported-challenges http-01 --http-01-port 9999 --renew-by-default --email $myemail --agree-tos
#./letsencrypt-auto certonly --standalone -d $mydomain --standalone-supported-challenges http-01 --http-01-port 9999 --renew-by-default --email $myemail --agree-tos

iptables -t nat -D PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999
iptables -D INPUT -p tcp -m tcp --dport 9999 -j ACCEPT

$keytooldir/keytool -delete -alias root -storepass changeit -keystore $keystoredir
$keytooldir/keytool -delete -alias tomcat -storepass changeit -keystore $keystoredir

openssl pkcs12 -export -in $certdir/fullchain.pem -inkey $certdir/privkey.pem -out $certdir/cert_and_key.p12 -name tomcat -CAfile $certdir/chain.pem -caname root -password pass:aaa

$keytooldir/keytool -importkeystore -srcstorepass aaa -deststorepass changeit -destkeypass changeit -srckeystore $certdir/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore $keystoredir
$keytooldir/keytool -import -trustcacerts -alias root -deststorepass changeit -file $certdir/chain.pem -noprompt -keystore $keystoredir


# restart your Tomcat server – mine is running JIRA
service jira stop
service jira start
Ivan Tichy
  • 59
  • 1
  • 3