Jamf Nation Community

powellbc · ‎07-07-2015

We are in the process of renewing our public certificates to ensure SHA-2 compliance and our JSS is one of the ones on the list. When renewing a certificate, do we need to create a new Tomcat keystore or can we simply start at the point where we generate a new CSR with the existing one?

MBrownUoG · ‎01-10-2019

I have the same question as this at the moment, is anybody able to shed any light on this? I'm a little confused!

mark_mahabir · ‎01-10-2019

When we switched from a self-signed SSL cert to a QuoVadis-issued cert, we went for a brand new keystore. This was the advice from Jamf Support who we engaged at the time to smooth the process:

When you request a certificate, you create a CSR, the private key that you need for later, and a public key that we don't need. You're supposed to send the CSR to the Certificate Authority (CA) of your choice. (you can reproduce it with using Keychain access utility > Application menu > Certificate assistant > Request a certificate from a CA) The Webserver, root and intermediate are the expected cert to receive from your CA. Once we have them, we're supposed to combine them and export them as a .p12 keystore (should contain the private key, the root, server and intermediate certs).

After that, I just needed to upload the root and intermediate certs for our AD so that I could log into the web interface (was JSS) with my usual AD credentials.

MBrownUoG · ‎01-14-2019

Thanks for this! Much appreciated. I'll have a poke around today and see if I can get it running.

nagiordano · ‎04-01-2019

I'm using the Jamf GUI to renew an existing 3rd Party cert and I'm at the point where it says "Upload the SSL Certificate Keystore". Do I just upload the existing Keystore from the Tomcat folder on the server (Windows) ?

M0J077 · ‎10-23-2019

@nagiordano what did you end up doing? is uploading the existing keystore a valid option?

Jamf Nation Community

Renewing SSL Tomcat Cert: use existing keystore or create a new one?