What to do if SSL cert failed
From UG
(→Resolution) |
(→Resolution) |
||
(5 intermediate revisions not shown) | |||
Line 6: | Line 6: | ||
== Resolution == | == Resolution == | ||
+ | Check to make sure it is ssl error by going to /opt/tomcat/logs/catalina.out | ||
- | If the cert is completely unusable or corrupt you must contact thwate tech support, they will need a CSR cert. The below is the steps on how to recreate a new cert from scratch. | + | You can replace cert located at /usr/local/jre1.6.0_13/bin/JaGFS125 (or keystore name you specified ) with backup cert located at /root/JAGFS125.bak Make sure to rename back to the keystore name(eg. JaGFS125). |
+ | |||
+ | But If the cert is completely unusable or corrupt you must contact thwate tech support, they will need a CSR cert. The below is the steps on how to recreate a new cert from scratch. | ||
+ | |||
+ | |||
+ | '''CONTACT INFO:''' | ||
+ | |||
+ | Technical support tel: 1-888-484-2983 | ||
+ | |||
+ | company site: http://www.thawte | ||
+ | |||
+ | login site: https://ssl-certificate-center.thawte.com/process/retail/console_login?application_locale=THAWTE_US | ||
+ | |||
+ | domain: ct.jaguarfreight.com | ||
+ | |||
+ | username: jaguarfs | ||
+ | |||
+ | password: Jaguar123 | ||
+ | |||
+ | jaguar contact: Paul Min | ||
- | |||
STEP 1: | STEP 1: | ||
Current revision as of 17:04, 25 January 2010
[edit] Problem
There is a small chance that after Tomcat re-start SSL cert fails. See Catalina logs for specific message.
[edit] Resolution
Check to make sure it is ssl error by going to /opt/tomcat/logs/catalina.out
You can replace cert located at /usr/local/jre1.6.0_13/bin/JaGFS125 (or keystore name you specified ) with backup cert located at /root/JAGFS125.bak Make sure to rename back to the keystore name(eg. JaGFS125).
But If the cert is completely unusable or corrupt you must contact thwate tech support, they will need a CSR cert. The below is the steps on how to recreate a new cert from scratch.
CONTACT INFO:
Technical support tel: 1-888-484-2983
company site: http://www.thawte
login site: https://ssl-certificate-center.thawte.com/process/retail/console_login?application_locale=THAWTE_US
domain: ct.jaguarfreight.com
username: jaguarfs
password: Jaguar123
jaguar contact: Paul Min
STEP 1:
Using the java keytool command line utility located at /usr/local/jre1.6.0_13/bin, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command:
./keytool -genkey -keysize 2048 -keyalg RSA -alias [enter Alias name] -keystore [enter Keystore Name]
Enter keystore password: Choose a password and enter it when prompted to do so.
What is your first and last name?
[Unknown]: ct.jaguarfreight.com
What is the name of your organizational unit?
[Unknown]: IT Department
What is the name of your organization?
[Unknown]: Jaguar Freight Services
What is the name of your City or Locality?
[Unknown]: Valley Stream
What is the name of your State or Province?
[Unknown]: New York
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=ct.jaguarfreight.com, OU=IT Department, O=Jaguar Freight Services, L=Valley Stream, ST=NY, C=US correct?
[no]: yes
Enter key password for <"alias"> (RETURN if same as keystore password)
NOTE: Please specify the same password for the keystore and the keyentry or else you will receive the following error message when you restart the jakarta engine: "java.security.UnrecoverableKeyException: Cannot recover key"
Note, that a keystore was created.
Please run: ./keytool -list -keystore [keystorename] to make sure you can read the keystore file.
The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.
STEP 2:
Backup Keystore file: To backup the keystore file with the keyentry just created,
1) cp -a [the keystore name used] [keystore name].bak
2) scp -a [keystore name].bak root@dev.jaguarfreight.com:/root
STEP 3:
Generate a CSR off the newly create keystore and keyentry: keytool -certreq -alias [alias name] -keyalg RSA -file certreq.csr -keystore [keystorename]
Enter keystore password (from Step 1).
The CSR will be saved to your JDK/bin directory: csr file should contain the following text "-----BEGIN NEW CERTIFICATE REQUEST-----"
and encrypted message
"-----END NEW CERTIFICATE REQUEST----- "
STEP 4:
Submit the CSR in our online Certificate enrollment process and fax the necessary documentation to your Thawte Representative.
STEP 5:
When you receive the certificate save the thawte signed Certificate in a notepad file named 'thawtcert'.
Please remember to download the Certificate in PKCS#7 format
STEP 6:
1) ftp the twatcert.txt file to /usr/local/jre1.6.0_13/bin 2) Import the Certificate into the keystore: keytool -import -alias [alias name] -trustcacerts -file thawtecert.txt -keystore [keystorename]
STEP 7:
Edit the Tomcat Configuration file.
Tomcat keeps its configuration information in the server.xml file. Make sure Tomcat is reading the correct keystore file and that port 443 is enabled for secure connections. please check the keystore location and file name is correct and pointing to /usr/local/jre1.6.0_13/bin/[keystore name]