Tuesday, January 02, 2007

Renewing SSL Certificates on Tomcat

So I had to renew a couple of SSL certificates that are used by sites running standalone Tomcat, here is what I had to do:

  1. Generate a new CSR request. This is easier than when first starting out since you've already created your keypair from the last time you bought your certificate:
    keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore .keystore
  2. Now open certreq.csr in a text editor and copy and paste the contents into your SSL issuers website form to finish the process of getting your new certificate.
  3. Now you should get an email to verify that you are the one who submitted the request and a link to Approve it. This email will go to the email address on your whois record for your domain name to verify that you own the domain.
  4. After you Approve the SSL request, you can download your new certificate along with the issuers intermediary certificate.
  5. You must first install the issuers Intermediate Certificate:
    keytool -import -alias intermed -keystore .keystore -trustcacerts -file sf_issuing.crt
  6. Then import your fresh new certificate:
    keytool -import -alias tomcat -keystore .keystore -trustcacerts -file ariel1.spaceprogram.com.crt
  7. And finally, restart Tomcat and double check by surfing to your page and checking out your certificate by clicking on the padlock icon on your web browser. Make sure the expiry date is correct.

That's about it. Nice and easy.