Can I create a new SSL keystore without messing anything up?

New Contributor III

I'm trying to renew our SSL certificate and I'm stuck at uploading the pem certificate I received from my CA because I don't know the keystore password and the person who set it up has left our company and left no documentation what it could be. I tried out the password in out server.xml as I've seen suggested on here before in old threads, but that didn't work.

So can I just create a new keystore using Tomcat, and if yes, what do I need to do to make sure I don't mess anything up in my jamf install? 


Contributor II

Go with your CA and issue a new certificate/keystore, then upload it to Jamf Pro. That should work.

Honored Contributor II

Its not hard to start it all over. Just make a new Keystore and do a CSR off that new Keystore and replace the old Keystore with the new one and bounce tomcat. Massively over simplifying things of course.


JAMF is retiring the ability to issue Tomcat certificates from the JAMF Pro built-in cert authority. I recommend using openSSL or java Keytool, and replacing the file directly on your host server. Our JAMF instance is on a Windows Server and I just do everything with the Java Keytool on that sever, if something is being stupid I will fall back to openSSL on a Mac. 


I have not tried this but I think you can copy the current Keystore in to a new Keystore with a new password using the java Keytool. This looks to be the work flow, but don't hold me to this as I have never tried it.



keytool -importkeystore -srckeystore {path to keystore} -destkeystore {path to new keystore backup} -deststorepass {password}