I have been having some issues at a client site renewing an SSL cert that previously worked fine.
I am familiar with the keytool JDK command line app, and it was how I installed the intermediate CA and SSL cert in the keystore the first time.
Current setup: 1 VeriSign intermediate CA, 1 tomcat SSL cert
End result desired: 2 new VeriSign intermediate CAs (primary/secondary) and Tomcat SSL renewal cert.
As I see it, the following are my options, but I have not been able to get these to work:
- Add New CAs additionally, remove original cert, add replacement cert
- Add New CAs additionally, add replacement cert additionally
- Remove old CA, add new CAs, remove original cert, add replacement cert
- Remove old CA, add new CAs, add replacement cert additionally
Am I missing a fifth option? I can't seem to find any more guidance on VeriSign's site, nor can I find a solution to my problem.
To make sure I've got my method right before getting into the technical details, can someone tell me what the best practice is in this case with VeriSign certs on a Tomcat (6.0.x) server?
Thanks in advance for any help you can give!
—
Sean
Best Answer
Below is the recommended steps upon installing VeriSign Intermediate CA certificates and SSL certificate to a keystore.
Step 1: Install Primary Intermediate CA Certificate
keytool -import -trustcacerts -alias primaryca -keystore (your_keystore_filename) -file primaryca.cer
Step 2: Install Secondary Intermediate CA Certificate
keytool -import -trustcacerts -alias secondaryca -keystore (your_keystore_filename) -file secondaryca.cer
Step 3: Install SSL Certificate
keytool -import -trustcacerts -alias (your_alias_name) -keystore (your_keystore_filename) -file (your_certificate_filename)
This information was obtain from VeriSign's knowledge base solution for Intermediate CAs/SSL certificate installation using Tomcat.
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR234