Ssl – Issue replacing SSL certificate with renewed one on Tomcat 6.0 (using keytool)

renewsslssl-certificatetomcattomcat6

I have SSL up and running and in use with a Tomcat 6.0 webapp. Recently, the SSL cert (A VeriSign cert) expired , I exported a Certificate Sign Request (CSR) went through the process, and received a certificate file with the correct information. The key algorithm is RSA.

The problem occurs when I attempt to import the new cert over the old cert. The following is the output from what happens running keytool

D:\keystore>keytool -import -alias tomcat -keyalg RSA -keystore .keystore -trustcacerts -file D:\keystore\Certificates\tomcat_dev.cer

Enter keystore password:

keytool error: java.lang.Exception: Failed to establish chain from reply

FYI, password is being left as the default "changeit" (it's just a test dev server).

I'm sure the error is on my part, but I'm not sure how to remedy. Do I need to replace the intermediate CA as well?

A little out of leads here and would appreciate any and all advice. Thanks in advance!

Best Answer

Yes, you'll have to include/replace the Intermediate as well, and do so before importing the new certificate. Most SSL vendors are chaining through intermediates these days, which adds steps.

Related Solutions

Ssl – How to update SSL certificate with Tomcat 5.5

The fact that it's registering as a TrustedCert would seem to indicate that there's no key for tomcat3. It's likely that the new certificate was requested for the existing key tomcat2. Keys themselves don't expire, just the certificates.

You can request a new certificate at any time either by generating a new cert signing request or by reusing the original one either of which is fine. Take a backup copy of your keystore and then import the certificate for the tomcat2 alias.

%JAVA_HOME%\bin\keytool -import -keystore companyname.keystore -alias tomcat2 -file 2009cert.cer

After that, you'll also want to point your tomcat instance back at tomcat2.

Tomcat – Exporting Private Key

Believe it or not, this functionality is not supported in keytool. The best solution I have found so far is the software and instructions available for download on this Web site.

I usually generate the key using openssl and then use this method to import the key, as that is not supported by keytool either.

To generate a 2048 bit key:

openssl genrsa -out host.domain.com.key 2048

To create a keystore from this key:

KEY=host.domain.com
openssl pkcs8 -topk8 -nocrypt -in $KEY.key -inform PEM -out key.der -outform DER
openssl x509 -in $KEY.crt -inform PEM -out cert.der -outform DER
wget http://www.agentbob.info/agentbob/81/version/default/part/AttachmentData/data/ImportKey.class
java ImportKey key.der cert.der

Best Answer

Related Solutions

Ssl – How to update SSL certificate with Tomcat 5.5

Tomcat – Exporting Private Key

Related Topic