I have a host abc.com on which I have installed a SSL certificate, but due to some reason the host name was changed to xyz.com so I have created a new SSL certificate for this host but somehow it's still referring to the old certificate which was used for abc.com.
Following are the commands I've used to create Keystore and CSR file:
---KeyStore generation Command
keytool -genkey -alias xyz -keyalg RSA -keystore xyz.keystore -keysize 2048
--CSR file generation command
keytool -certreq -alias xyz -file xyz.csr -keystore xyz.keystore -sigalg SHA1withRSA
From CSR file I've generated the trusted certificate for site. There are 3 certificates provided to me Root certificate, Issuer Certificate and Site Certiticate.
First I've imported Root certificate, then Issuer certificate and then site certificate using below commands into keystore:
-- Importing root certificate
keytool -keystore xyz.keystore -storetype JKS -storepass xyz123 -import -v -noprompt -trustcacerts -alias root -keypass xyz123 -file root.cer -keystore xyz.keystore -storetype JKS -storepass xyz123
-- Importing issuer certificate
keytool -keystore xyz.keystore -storetype JKS -storepass xyz123 -import -v -noprompt -trustcacerts -alias issuer -keypass xyz123 -file issuer.cer -keystore xyz.keystore -storetype JKS -storepass xyz123
-- Importing site certificate
keytool -keystore xyz.keystore -storetype JKS -storepass xyz123 -import -v -noprompt -trustcacerts -alias xyz -keypass xyz123 -file xyz.cer -keystore xyz.keystore -storetype JKS -storepass xyz123
Now to check if certificates are imported properly in the keystore I've used below command:
keytool -list -keystore xyz.keystore
I can see 4 entries in the keystore, 1 PrivateKeyEntry and 3 trustCertEntries.
Now I've used this keystore and its keyPass in the Connector tag of server.xml file of tomcat. server.xml entry looks like below:
<Connector port="8443" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
maxSpareThreads="75" enableLookups="false" acceptCount="100"
disableUploadTimeout="true" keystoreFile="xyz.keystore" keystorePass="xyz123"/>
I restarted the server and tried accessing the application but it's still referring to the old certificate.
Any help would be appreciated.
Finally after lots of searching I found this command,
keytool -list -keystore ~/.keystore -v
This will list out the certificates from the default keystore which is there at your home location. (~/ means its your home location on linux)
And I could see the old certificate there. I removed the old certificate from there and then added the new keystore details to my server.xml file in tomcat and now its referring to the new certificate properly.