Skip to end of metadata
Go to start of metadata

If your private key has not been breached/leaked and is still considered to be of sufficient strength (in 2021 for RSA keys that means a key size of at least 2048 bits) you may want to generate a new CSR from the existing private key and also reuse the existing PKCS#12 keystore passphrase. Otherwise ignore the instructions below and follow the instructions for initial key generation instead.

  1. Grab/copy the passphrase (keystorePass for the Connector element with port="443") for the existing PKCS#12 keystore from the Tomcat configuration file, /etc/tomcat9/server.xml
    Use this passphrase in all the steps below when asked for a key passphrase or import/export password. There's no reason to protect the same private key with multiple different passphrases on the same system.
  2. Extract the private key from the keystore file:

    openssl pkcs12 -in /etc/tomcat9/webserver.p12 -nocerts | tail +5 > /etc/tomcat9/webserver.key

    When asked to "Enter Import Password" enter/paste the keystore passphrase mentioned above.
    When asked to "Enter PEM pass phrase" simply enter/paste the same passphrase again.
    And yet again, when asked to "Verifying - Enter PEM pass phrase".

  3. Generate a CSR from the private key, either by supplying the necessary data (at least the CN) on the command line or by not supplying the -subj  argument (and value) at all, entering any data interactively when being prompted for it:

    openssl req -new -key /etc/tomcat9/webserver.key -out /etc/tomcat9/webserver.csr -subj "/CN=WEBSERVER-FQDN"

    When asked to "Enter pass phrase for /etc/tomcat9/webserver.key" again provide the passphrase from the previous steps.

  4. Use the generated CSR to request a TLS certificate from your certificate supplier, e.g. ACOnet TCS. Once the certificate has been issued copy it to the IDP server into the file /etc/tomcat9/webserver.crt
    You'll also need to copy any intermediate Certificate Authority (CA) certificates to the IDP server. E.g. in case of ACOnet TCS, Sectigo and an RSA OV certificate the only intermediate CA certificate you'll need is the one with the subject "C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4", referenced as file /path/to/GEANT-OV-RSA-CA-4.crt below.

  5. Make a backup copy of your existing keystore and copy the private key, new TLS certificate and any intermediate CA certificates into the keystore (overwriting the existing one):

    cp -a /etc/tomcat9/webserver.p12 /etc/tomcat9/webserver.p12.`date -u +%Y%m%d`
    openssl pkcs12 -export -in /etc/tomcat9/webserver.crt -inkey /etc/tomcat9/webserver.key -certfile /path/to/GEANT-OV-RSA-CA-4.crt -name "webserver" -out /etc/tomcat9/webserver.p12

    When asked to "Enter pass phrase for /etc/tomcat9/webserver.key" provide the passphrase from the previous steps.
    Again when asked to "Enter Export Password".
    And yet again, when asked to "Verifying - Enter Export Password".

  6. Make sure the changed keystore file still has proper file system ownership and permissions, e.g.

    chown root:tomcat /etc/tomcat9/webserver.p12
    chmod 0640 /etc/tomcat9/webserver.p12
  7. Restart Tomcat

    systemctl restart tomcat9
  8. Verify that the new certificate chain works and looks as previously explained.

  9. If everything works fine and the certificate chain looks as expected remove the private key and certificate again as they are no longer needed:
    (Keep the CSR around for next time, allowing you to re-start this process at step 4 above)

    rm /etc/tomcat9/webserver.{key,crt}
  • No labels