What to do if SSL cert failed
From UG
(Created page with 'Category:CT2 IT == Problem == There is a small chance that after Tomcat re-start SSL cert fails. See Catalina logs for specific message. == Resolution == TBD') |
(→Resolution) |
||
Line 7: | Line 7: | ||
== Resolution == | == Resolution == | ||
- | [[ | + | If the cert is completely unusable or corrupt you must contact thwate tech support, they will need a CSR cert. The below is the steps on how to recreate a new cert from scratch. |
+ | |||
+ | |||
+ | STEP 1: | ||
+ | |||
+ | Using the java keytool command line utility located at /usr/local/jre1.6.0_13/bin, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command: | ||
+ | |||
+ | ./keytool -genkey -keysize 2048 -keyalg RSA -alias [enter Alias name] -keystore [enter Keystore Name] | ||
+ | |||
+ | |||
+ | Enter keystore password: Choose a password and enter it when prompted to do so. | ||
+ | |||
+ | What is your first and last name? | ||
+ | [Unknown]: ct.jaguarfreight.com | ||
+ | |||
+ | What is the name of your organizational unit? | ||
+ | [Unknown]: IT Department | ||
+ | |||
+ | What is the name of your organization? | ||
+ | [Unknown]: Jaguar Freight Services | ||
+ | |||
+ | What is the name of your City or Locality? | ||
+ | [Unknown]: Valley Stream | ||
+ | |||
+ | What is the name of your State or Province? | ||
+ | [Unknown]: New York | ||
+ | |||
+ | What is the two-letter country code for this unit? | ||
+ | [Unknown]: US | ||
+ | |||
+ | Is CN=ct.jaguarfreight.com, OU=IT Department, O=Jaguar Freight Services, L=Valley Stream, ST=NY, C=US correct? | ||
+ | [no]: yes | ||
+ | |||
+ | Enter key password for <"alias"> | ||
+ | (RETURN if same as keystore password) | ||
+ | |||
+ | '''NOTE:''' Please specify the same password for the keystore and the keyentry or else you will receive the following error message when you restart the jakarta engine: "java.security.UnrecoverableKeyException: Cannot recover key" | ||
+ | |||
+ | Note, that a keystore was created. | ||
+ | |||
+ | Please run: ./keytool -list -keystore [keystorename] to make sure you can read the keystore file. | ||
+ | |||
+ | The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash. | ||
+ | |||
+ | STEP 2: | ||
+ | |||
+ | Backup Keystore file: To backup the keystore file with the keyentry just created, | ||
+ | |||
+ | 1) cp -a [the keystore name used] [keystore name].bak | ||
+ | |||
+ | 2) scp -a [keystore name].bak root@dev.jaguarfreight.com:/root | ||
+ | |||
+ | STEP 3: | ||
+ | |||
+ | Generate a CSR off the newly create keystore and keyentry: | ||
+ | keytool -certreq -alias [alias name] -keyalg RSA -file certreq.csr -keystore [keystorename] | ||
+ | |||
+ | Enter keystore password (from Step 1). | ||
+ | |||
+ | The CSR will be saved to your JDK/bin directory: | ||
+ | csr file should contain the following text | ||
+ | "-----BEGIN NEW CERTIFICATE REQUEST-----" | ||
+ | |||
+ | and encrypted message | ||
+ | |||
+ | "-----END NEW CERTIFICATE REQUEST----- " | ||
+ | |||
+ | STEP 4: | ||
+ | |||
+ | Submit the CSR in our online Certificate enrollment process and fax the necessary documentation to your Thawte Representative. | ||
+ | |||
+ | STEP 5: | ||
+ | |||
+ | When you receive the certificate save the thawte signed Certificate in a notepad file named 'thawtcert'. | ||
+ | |||
+ | Please remember to download the Certificate in PKCS#7 format | ||
+ | |||
+ | STEP 6: | ||
+ | 1) ftp the twatcert.txt file to /usr/local/jre1.6.0_13/bin | ||
+ | 2) Import the Certificate into the keystore: keytool -import -alias [alias name] -trustcacerts -file thawtecert.txt -keystore [keystorename] | ||
+ | |||
+ | STEP 7: | ||
+ | |||
+ | Edit the Tomcat Configuration file. | ||
+ | |||
+ | Tomcat keeps its configuration information in the server.xml file. Make sure Tomcat is reading the correct keystore file and that port 443 is enabled for secure connections. please check the keystore location and file name is correct and pointing to /usr/local/jre1.6.0_13/bin/[keystore name] |
Revision as of 16:38, 25 January 2010
Problem
There is a small chance that after Tomcat re-start SSL cert fails. See Catalina logs for specific message.
Resolution
If the cert is completely unusable or corrupt you must contact thwate tech support, they will need a CSR cert. The below is the steps on how to recreate a new cert from scratch.
STEP 1:
Using the java keytool command line utility located at /usr/local/jre1.6.0_13/bin, the first thing you need to do is create a keystore and generate the key pair. Do this with the following command:
./keytool -genkey -keysize 2048 -keyalg RSA -alias [enter Alias name] -keystore [enter Keystore Name]
Enter keystore password: Choose a password and enter it when prompted to do so.
What is your first and last name?
[Unknown]: ct.jaguarfreight.com
What is the name of your organizational unit?
[Unknown]: IT Department
What is the name of your organization?
[Unknown]: Jaguar Freight Services
What is the name of your City or Locality?
[Unknown]: Valley Stream
What is the name of your State or Province?
[Unknown]: New York
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=ct.jaguarfreight.com, OU=IT Department, O=Jaguar Freight Services, L=Valley Stream, ST=NY, C=US correct?
[no]: yes
Enter key password for <"alias"> (RETURN if same as keystore password)
NOTE: Please specify the same password for the keystore and the keyentry or else you will receive the following error message when you restart the jakarta engine: "java.security.UnrecoverableKeyException: Cannot recover key"
Note, that a keystore was created.
Please run: ./keytool -list -keystore [keystorename] to make sure you can read the keystore file.
The keystore will be stored in your JDK/bin directory. Create a copy of the keystore file and store it on a removable disk for safe keeping in case of a server crash.
STEP 2:
Backup Keystore file: To backup the keystore file with the keyentry just created,
1) cp -a [the keystore name used] [keystore name].bak
2) scp -a [keystore name].bak root@dev.jaguarfreight.com:/root
STEP 3:
Generate a CSR off the newly create keystore and keyentry: keytool -certreq -alias [alias name] -keyalg RSA -file certreq.csr -keystore [keystorename]
Enter keystore password (from Step 1).
The CSR will be saved to your JDK/bin directory: csr file should contain the following text "-----BEGIN NEW CERTIFICATE REQUEST-----"
and encrypted message
"-----END NEW CERTIFICATE REQUEST----- "
STEP 4:
Submit the CSR in our online Certificate enrollment process and fax the necessary documentation to your Thawte Representative.
STEP 5:
When you receive the certificate save the thawte signed Certificate in a notepad file named 'thawtcert'.
Please remember to download the Certificate in PKCS#7 format
STEP 6:
1) ftp the twatcert.txt file to /usr/local/jre1.6.0_13/bin 2) Import the Certificate into the keystore: keytool -import -alias [alias name] -trustcacerts -file thawtecert.txt -keystore [keystorename]
STEP 7:
Edit the Tomcat Configuration file.
Tomcat keeps its configuration information in the server.xml file. Make sure Tomcat is reading the correct keystore file and that port 443 is enabled for secure connections. please check the keystore location and file name is correct and pointing to /usr/local/jre1.6.0_13/bin/[keystore name]