tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: renewing an ssl certificate
Date Wed, 05 Apr 2017 23:42:22 GMT
Hash: SHA256


On 4/4/17 3:11 PM, Lyallex wrote:
> After some sterling support from this list a while ago which
> included a code change I have been successfully running Apache
> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a
> year now without problems, it just works, it never falls over and
> it has withstood some concerted attacks by all sorts of scallywags.
> Impressive.

Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
have a testing environment, I think you'll be able to do it in about
30 minutes. After you do it once, it'll take you more like 5 minutes.

> It is now time to renew my ssl certificate and I'm getting a bit
> jumpy.

No sweat.

> I managed to get everything working first time around following the
> docs at 
>  According to my service provider (comodo) I have to submit a new 
> certificate signing request which (I think) means creating a self 
> signed certificate.
> Will this mess up me existing cert, it still has 10 days to go?

That depends upon exactly how you do things.

> Is the process the same as installing first time or are there some 
> gotchas I need to be aware of

I would start from scratch every time. Here's why:

1. Java keystores are ... an abomination. The less you have to mess
with them, the better.

2. In the unlikely event that your private key has been compromised
(e.g. someone broke into your server and copied it off there).

3. For conversations that aren't using "forward security", the RSA
private key is the master key to all of those conversations. If
someone (e.g. US-NSA) has compromised your private key and is recoring
all your conversations with your clients, then a compromised key means
a compromise of all of those conversations, past or future. Generating
a new private key limits the amount of damage that can be caused by
this kind of compromise.

4. If you break something, you'll have the old keystore as a backup
and can roll-back immediately without worrying if you have broken
anything in the original keystore. (Of course, you could just make a
backup copy of the keystore, but this start-fresh process has a
built-in backup, so you don't have to remember it.)

> [From a followup post]
> actually all I was asking was 'is it possible to use an existing
> keystore (and therefor an existing private key)' to install a new
> certification chain'

You can, but see above.

> In the end I created a brand new keystore, generated a new private
> key and CSR, submitted the CSR to Comodo then installed the new
> chain when it arrived. Then I simply switched the server
> (../conf/server.xml) to look at the new keystore and it just
> worked. Result.

It should be that simple every time. Again, always keep a backup...
just in case.

> I was under the impression the certs were 'installed' in the
> keystore but I don't think this is right so now I have to figure
> out where they are as I'd like to remove the old ones. Every time I
> mess about with this SSL/TLS stuff I age several years :-)

This is the thing about Java keystores: they merge concepts together
in a way that I dislike. If you crack-open your keystore, you'll end
up finding the following:

1. a private key
2. a self-signed certificate
3. the CA-signed certificate
4. the CA's intermediate certificate (usually)

But "keytool" makes it look like #1 and #2 are the same thing.

When you are using PEM files, it's very clear what everything is, and,
if you have a one-PEM-file-to-rule-them-all, then you can at least see
everything labelled appropriately with a simple text editor. You can
also get your private key out of the bundle without resorting to

Come to this year's ApacheCon NA in Miami. There will be a few talks
about TLS, including one on the basics and another one on using Let's
Encrypt to get free automated certs so you never have to manually do
this process ever again -- unless you want an EV cert ;)

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message