What to do if SSL cert failed

From UG

Revision as of 16:53, 25 January 2010

Problem

There is a small chance that after Tomcat re-start SSL cert fails. See Catalina logs for specific message.

Resolution

You can replace cert located at /usr/local/jre1.6.0_13/bin/JaGFS125 (or keystore name you specified ) with backup cert located at /root/JAGFS125.bak Make sure to rename back to the keystore name(eg. JaGFS125).

But If the cert is completely unusable or corrupt you must contact thwate tech support, they will need a CSR cert. The below is the steps on how to recreate a new cert from scratch.

STEP 1:

Using the java keytool command line utility located at /usr/local/jre1.6.0_13/bin, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command:

./keytool -genkey -keysize 2048 -keyalg RSA -alias [enter Alias name] -keystore [enter Keystore Name]

Enter keystore password: Choose a password and enter it when prompted to do so.

What is your first and last name?

 [Unknown]:  ct.jaguarfreight.com 

What is the name of your organizational unit?

 [Unknown]:  IT Department  

What is the name of your organization?

 [Unknown]:  Jaguar Freight Services  

What is the name of your City or Locality?

 [Unknown]:  Valley Stream

What is the name of your State or Province?

 [Unknown]:  New York

What is the two-letter country code for this unit?

 [Unknown]:  US

Is CN=ct.jaguarfreight.com, OU=IT Department, O=Jaguar Freight Services, L=Valley Stream, ST=NY, C=US correct?

 [no]:  yes 

Enter key password for <"alias"> (RETURN if same as keystore password)

NOTE: Please specify the same password for the keystore and the keyentry or else you will receive the following error message when you restart the jakarta engine: "java.security.UnrecoverableKeyException: Cannot recover key"

Note, that a keystore was created.

Please run: ./keytool -list -keystore [keystorename] to make sure you can read the keystore file.

The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.

STEP 2:

Backup Keystore file: To backup the keystore file with the keyentry just created,

1) cp -a [the keystore name used] [keystore name].bak

2) scp -a [keystore name].bak root@dev.jaguarfreight.com:/root

STEP 3:

Generate a CSR off the newly create keystore and keyentry: keytool -certreq -alias [alias name] -keyalg RSA -file certreq.csr -keystore [keystorename]

Enter keystore password (from Step 1).

The CSR will be saved to your JDK/bin directory: csr file should contain the following text "-----BEGIN NEW CERTIFICATE REQUEST-----"

and encrypted message

"-----END NEW CERTIFICATE REQUEST----- "

STEP 4:

Submit the CSR in our online Certificate enrollment process and fax the necessary documentation to your Thawte Representative.

STEP 5:

When you receive the certificate save the thawte signed Certificate in a notepad file named 'thawtcert'.

Please remember to download the Certificate in PKCS#7 format

STEP 6:

1) ftp the twatcert.txt file to /usr/local/jre1.6.0_13/bin
2) Import the Certificate into the keystore:   keytool -import -alias  [alias name] -trustcacerts -file thawtecert.txt  -keystore [keystorename]
 

STEP 7:

Edit the Tomcat Configuration file.

Tomcat keeps its configuration information in the server.xml file. Make sure Tomcat is reading the correct keystore file and that port 443 is enabled for secure connections. please check the keystore location and file name is correct and pointing to /usr/local/jre1.6.0_13/bin/[keystore name]