Quote Originally Posted by allenmorris View Post

I am attempting to renew my tomcat SSL certs on a SLes 12 server running for Mirco Focus SSPR 3.3.

Our existing keystone file has the configuration in which includes the root certificate, an intermed certificate and a "key pair" called tomcat. This "key pair" has a Hierarchy structure which has all three certificates the root, the intermed, and the server URL cert.


I have not been able to recreate this key paired entry in my attempts to renew the keystore file. The best I've been able to accomplish all three certificates in the keystore, no "key pair" entry.


I have been using openSSL, the original CSR file and the files I received from Godaddy, which are the root, intermed, and server certificates, but have not found a way to create this key pair.


It seems this "key pair" is necessary, because using the keystore I created from just the three certificates, does not work.

Any suggestions would be appreciated.

Many thanks,

The keypair "tomcat" is the actual certificate, private and public key, if I've understood your question correctly. The rest is the chain of trust back to the root CA that signed it.

Exactly what did you do to create the CSR that GoDaddy signed?

You probably should have done something like:

keytool -genkey -alias newtomcat -keyalg RSA -keystore /path/to/tomcat/conf/keystore
Find the Tomcat keystore in the server.xml file. Or create a new one if you prefer.


keytool -certreq -keyalg RSA -alias newtomcat -file newtomcat.csr -keystore /path/to/tomcat/conf/keystore
Then you send the CSR off to GoDaddy, and they reply with the signed certificate, their public key (root) and one or more intermediates.

Then you import the results in to the tomcat keystore with something like:

keytool -import -alias root -keystore /path/to/tomcat/conf/keystore -trustcacerts -file /path/to/the/root_certificate

keytool -import -alias intermediate -keystore /path/to/tomcat/conf/keystore -trustcacerts -file /path/to/the/intermediate_certificate

keytool -import -alias newtomcat  -keystore /path/to/tomcat/conf/keystore -file /path/to/cert_from_godaddy
Then, in server.xml, you tell tomcat what to use by keystore and alias.

That's just SSL configuration for tomcat. You may also need to get this cert in to SSPR as well if you're using OSP in front of it, possibly in to the JRE cacerts as well.

I've done this, just not recently enough to have it all exactly right. It should be close, though. Make sure you're using the right keytool, there may be more than one on your system.