Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: type, fill in missing steps


  1. Grab/copy the passphrase (keystorePass for the Connector element with port="443") for the existing PKCS#12 keystore from the Tomcat configuration file, /etc/tomcat9/server.xml
    Use this passphrase in all the steps below when asked for a key passphrase or import/export password. There's no reason to protect the same private key with multiple different passphrases on the same system.
  2. Extract the private key from the keystore file:

    No Format
    openssl pkcs12 -in /etc/tomcat9/webserver.p12 -nocerts | tail +5 > /etc/tomcat9/webserver.key

    When asked to "Enter Import Password" enter/paste the keystore passphrase mentioned above.
    When asked to "Enter PEM pass phrase" simply enter/paste the same passphrase again.
    And yet again, when asked to "Verifying - Enter PEM pass phrase".

  3. Generate a CSR from the private key, either by supplying the necessary data (at least the CN) on the command line or by not supplying the -subj  argument (and value) at all, entering any data interactively when being prompted for it:

    No Format
    openssl req -new -key /etc/tomcat9/webserver.key -out /etc/tomcat9/webserver.csr -subj "/CN=WEBSERVER-FQDN"

    When asked to "Enter pass phrase for /etc/tomcat9/webserver.key" again provide the passphrase from the previous steps.

  4. Using Use the generated CSR to request a TLS certificate from your Certificate Authoritycertificate supplier, e.g. using ACOnet TCS. Once the certificate has been issued copy it and to the IDP server into the file /etc/tomcat9/webserver.crt
    You'll also need to copy any intermediate Certificate Authority (CA) certificates to the IDP server.
    E.g. in case of ACOnet TCS, Sectigo and an RSA OV certificate the only intermediate CA certificate you'll need is the one with the subject "C = NL, O = GEANT Vereniging, CN = GEANT OV RSA CA 4", referenced as file /path/to/GEANT-OV-RSA-CA-4.crt below.

  5. Make a backup copy of your existing keystore and copy the private key, new TLS certificate and any intermediate CA certificates into the keystore (overwriting the existing one).:

    No Format
    cp -a /etc/tomcat9/webserver.p12 /etc/tomcat9/webserver.p12.`date -u +%Y%m%d`
    openssl pkcs12 -export -in /etc/tomcat9/webserver.crt -inkey /etc/tomcat9/webserver.key -certfile /path/to/GEANT-OV-RSA-CA-4.crt -name "webserver" -out /etc/tomcat9/webserver.p12

    When asked to "Enter pass phrase for /etc/tomcat9/webserver.key" provide the passphrase from the previous steps.
    Again when asked to "Enter Export Password".
    And yet again, when asked to "Verifying - Enter Export Password".

  6. Make sure the changed keystore file still has proper file system ownership and permissions, e.g.

    No Format
    chown root:tomcat /etc/tomcat9/webserver.p12
    chmod 0640 /etc/tomcat9/webserver.p12

  7. Restart Tomcat

    No Format
    systemctl restart tomcat9

  8. Verify that the new certificate chain works and looks as previously explained.

  9. If everything works fine and the certificate chain looks as expected you can remove the private key and certificate again (keeping as they are no longer needed:
    (Keep the CSR around for next time, which would allow allowing you to re-start this process at step 4 above).

    No Format
    rm /etc/tomcat9/webserver.{key,crt}