Renewing SSL Tomcat Cert: use existing keystore or create a new one?

Contributor II

We are in the process of renewing our public certificates to ensure SHA-2 compliance and our JSS is one of the ones on the list. When renewing a certificate, do we need to create a new Tomcat keystore or can we simply start at the point where we generate a new CSR with the existing one?



I have the same question as this at the moment, is anybody able to shed any light on this? I'm a little confused!

Valued Contributor

When we switched from a self-signed SSL cert to a QuoVadis-issued cert, we went for a brand new keystore. This was the advice from Jamf Support who we engaged at the time to smooth the process:

When you request a certificate, you create a CSR, the private key that you need for later, and a public key that we don't need. You're supposed to send the CSR to the Certificate Authority (CA) of your choice. (you can reproduce it with using Keychain access utility > Application menu > Certificate assistant > Request a certificate from a CA) The Webserver, root and intermediate are the expected cert to receive from your CA. Once we have them, we're supposed to combine them and export them as a .p12 keystore (should contain the private key, the root, server and intermediate certs).

After that, I just needed to upload the root and intermediate certs for our AD so that I could log into the web interface (was JSS) with my usual AD credentials.


Thanks for this! Much appreciated. I'll have a poke around today and see if I can get it running.

New Contributor

I'm using the Jamf GUI to renew an existing 3rd Party cert and I'm at the point where it says "Upload the SSL Certificate Keystore". Do I just upload the existing Keystore from the Tomcat folder on the server (Windows) ?

New Contributor II

@nagiordano what did you end up doing? is uploading the existing keystore a valid option?