We are in the process of renewing our public certificates to ensure SHA-2 compliance and our JSS is one of the ones on the list. When renewing a certificate, do we need to create a new Tomcat keystore or can we simply start at the point where we generate a new CSR with the existing one?
Question
Renewing SSL Tomcat Cert: use existing keystore or create a new one?
+14
+6I have the same question as this at the moment, is anybody able to shed any light on this? I'm a little confused!
+15When we switched from a self-signed SSL cert to a QuoVadis-issued cert, we went for a brand new keystore. This was the advice from Jamf Support who we engaged at the time to smooth the process:
When you request a certificate, you create a CSR, the private key that you need for later, and a public key that we don't need. You're supposed to send the CSR to the Certificate Authority (CA) of your choice. (you can reproduce it with using Keychain access utility > Application menu > Certificate assistant > Request a certificate from a CA) The Webserver, root and intermediate are the expected cert to receive from your CA. Once we have them, we're supposed to combine them and export them as a .p12 keystore (should contain the private key, the root, server and intermediate certs).
After that, I just needed to upload the root and intermediate certs for our AD so that I could log into the web interface (was JSS) with my usual AD credentials.
+6Thanks for this! Much appreciated. I'll have a poke around today and see if I can get it running.
+1I'm using the Jamf GUI to renew an existing 3rd Party cert and I'm at the point where it says "Upload the SSL Certificate Keystore". Do I just upload the existing Keystore from the Tomcat folder on the server (Windows) ?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.