How to update a Tomcat keystore with a renewed SSL certificate?

Question

About a year ago I got an SSL certificate from GoDaddy and installed it on a Tomcat server following their instructions. No issues.

The certificate is about to expire so I renewed it. GoDaddy sent me three .cer files. I can't figure out what to do with them.

If I generate a brand new keystore and try to import the files into it like I did the first time, it doesn't work. I assume this is because the new keystore doesn't have my original private key.

If I try to import the new certificates into the old file, it doesn't allow this.

If I take the old keystore and delete some or all of the old certificates and replace them with the new ones, keytool allows this, but the keystore doesn't work when I install it on my server.

I don't know what to do next.

Answer 1

I use a graphical tool that make very easy keystore management. It is called portecle and may be found here. When you receive a new certificate from GoDaddy, just open the keystore in portecle, select your old (about to expire) certificate, right click on it and import the new "CA reply" (i.e., your renewed certificate). Then save the keystore and restart tomcat.

Answer 2

I use Let's encrypt certificates (free, signed). I have created a automated script to update the keystore, you can use it as inspiration or move to LE and use it as it is. More info here: http://blog.ivantichy.cz/blogpost/view/74

#!/bin/bash
#author Ivan Tichy
#Please modify these values according to your environment
certdir=/etc/letsencrypt/live/jira.ivantichy.cz/ #just replace the domain name after /live/
keytooldir=/opt/atlassian/jira/jre/bin/ #java keytool located in jre/bin
mydomain=jira.ivantichy.cz #put your domain name here
[email protected] #your email
networkdevice=eth0 #your network device  (run ifconfig to get the name)
keystoredir=/home/jira/.keystore #located in home dir of user that you Tomcat is running under - just replace jira with your user you use for Tomcat, see ps -ef to get user name if you do not know

#the script itself:
cd /var/git/letsencrypt
git pull origin master
iptables -I INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
iptables -t nat -I PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999

./letsencrypt-auto certonly --standalone --test-cert -d $mydomain --standalone-supported-challenges http-01 --http-01-port 9999 --renew-by-default --email $myemail --agree-tos
#./letsencrypt-auto certonly --standalone -d $mydomain --standalone-supported-challenges http-01 --http-01-port 9999 --renew-by-default --email $myemail --agree-tos

iptables -t nat -D PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999
iptables -D INPUT -p tcp -m tcp --dport 9999 -j ACCEPT

$keytooldir/keytool -delete -alias root -storepass changeit -keystore $keystoredir
$keytooldir/keytool -delete -alias tomcat -storepass changeit -keystore $keystoredir

openssl pkcs12 -export -in $certdir/fullchain.pem -inkey $certdir/privkey.pem -out $certdir/cert_and_key.p12 -name tomcat -CAfile $certdir/chain.pem -caname root -password pass:aaa

$keytooldir/keytool -importkeystore -srcstorepass aaa -deststorepass changeit -destkeypass changeit -srckeystore $certdir/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore $keystoredir
$keytooldir/keytool -import -trustcacerts -alias root -deststorepass changeit -file $certdir/chain.pem -noprompt -keystore $keystoredir


# restart your Tomcat server – mine is running JIRA
service jira stop
service jira start