- Grab/copy the passphrase (
port="443") for the existing PKCS#12 keystore from the Tomcat configuration file,
Use this passphrase in all the steps below when asked for a key passphrase or import/export password. There's no reason to protect the same private key with multiple different passphrases on the same system.
Extract the private key from the keystore file:
openssl pkcs12 -in /etc/tomcat9/webserver.p12 -nocerts | tail +5 > /etc/tomcat9/webserver.key
When asked to "Enter Import Password" enter/paste the keystore passphrase mentioned above.
When asked to "Enter PEM pass phrase" simply enter/paste the same passphrase again.
And yet again, when asked to "Verifying - Enter PEM pass phrase".
Generate a CSR from the private key, either by supplying the necessary data (at least the CN) on the command line or by not supplying the
-subjargument (and value) at all, entering any data interactively when being prompted for it:
openssl req -new -key /etc/tomcat9/webserver.key -out /etc/tomcat9/webserver.csr -subj "/CN=WEBSERVER-FQDN"
When asked to "Enter pass phrase for /etc/tomcat9/webserver.key" again provide the passphrase from the previous steps.
Using Use the generated CSR to request a TLS certificate from your Certificate Authoritycertificate supplier, e.g. using ACOnet TCS. Once the certificate has been issued copy it and to the IDP server into the file
You'll also need to copy any intermediate Certificate Authority (CA) certificates to the IDP server.
E.g. in case of ACOnet TCS, Sectigo and an RSA OV certificate the only intermediate CA certificate you'll need is the one with the subject "C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4", referenced as file
Make a backup copy of your existing keystore and copy the private key, new TLS certificate and any intermediate CA certificates into the keystore (overwriting the existing one).:
cp -a /etc/tomcat9/webserver.p12 /etc/tomcat9/webserver.p12.`date -u +%Y%m%d` openssl pkcs12 -export -in /etc/tomcat9/webserver.crt -inkey /etc/tomcat9/webserver.key -certfile /path/to/GEANT-OV-RSA-CA-4.crt -name "webserver" -out /etc/tomcat9/webserver.p12
When asked to "Enter pass phrase for /etc/tomcat9/webserver.key" provide the passphrase from the previous steps.
Again when asked to "Enter Export Password".
And yet again, when asked to "Verifying - Enter Export Password".
Make sure the changed keystore file still has proper file system ownership and permissions, e.g.
chown root:tomcat /etc/tomcat9/webserver.p12 chmod 0640 /etc/tomcat9/webserver.p12
systemctl restart tomcat9
Verify that the new certificate chain works and looks as previously explained.
If everything works fine and the certificate chain looks as expected you can remove the private key and certificate again (keeping as they are no longer needed:
(Keep the CSR around for next time, which would allow allowing you to re-start this process at step 4 above).