You are here

Permanent SSL Certificate

Submitted by bsteward on Tue, 08/04/2015 - 12:27

Forums:

Does anyone have any tips or instructions on how to install an existing wildcard certificate as the permanent ssl certificate on the CAS, Admin, and Portal servers? I've asked consultants, opened tickets, and read the install guide, but I have yet to find the "right" combination of commands. I'm pretty sure that someone is out there that has successfully accomplished this. Any tips or help, will be greatly appreciated. Thanks!

Luminis Version:

Yes, I can import the wildcard certificate using keytool. These are the commands that I ran. Am I approaching this the right way, or am I just totally lost?

On the test-admin and the test-portal servers, I ran:
lpstop
keytool -delete -alias tomcat -keystore /opt/luminis/.keystore
keytool -importcert -alias tomcat -file /_jsu_2015_2018.crt -keystore /opt/luminis/.keystore
keytool -importcert -alias gd_bundle -file /gd_bundle-g2-g1.crt -keystore /opt/luminis/.keystore
keytool -delete -alias cas_cert -keystore /opt/luminis/products/java/jre/lib/security/cacerts
keytool -importcert -alias cas_cert -file /_jsu_2015_2018.crt -keystore /opt/luminis/products/java/jre/lib/security/cacerts
keytool -importcert -alias gd_bundle -file /gd_bundle-g2-g1.crt -keystore /opt/luminis/products/java/jre/lib/security/cacerts
lpstart

On the test-cas, I ran:
lpstop
keytool -delete -alias tomcat -keystore /opt/luminis/.keystore
keytool -importcert -alias tomcat -file /_jsu_2015_2018.crt -keystore /opt/luminis/.keystore
keytool -importcert -alias gd_bundle -file /gd_bundle-g2-g1.crt -keystore /opt/luminis/.keystore
keytool -delete -alias tomcat -keystore /opt/luminis/products/java/jre/lib/security/cacerts
keytool -importcert -alias tomcat -file /_jsu_2015_2018.crt -keystore /opt/luminis/products/java/jre/lib/security/cacerts
keytool -importcert -alias gd_bundle -file /gd_bundle-g2-g1.crt -keystore /opt/luminis/products/java/jre/lib/security/cacerts
lpstart

The certificate _jsu_2015_2018.crt is our existing wildcard certificate and the gd_bundle-g2-g1.crt is the GoDaddy bundle. When I try to run lpstart, I get errors.

Those commands like alright. Although I would add a "-trustcacerts" to all your import statements.

Your luminis.log might contain clues. If it says something like "ssl handshake error" or "can't complete the chain" it might be that you imported the wrong intermediate cert or root cert. I'd contact your ssl vendor and make sure you have the correct combination of stuff.

Also, double check your keystore locations. Like,
grep keystoreFile $CP_ROOT/products/tomcat/tomcat-portal/conf/server.xml
grep keystoreFile $CP_ROOT/products/tomcat/tomcat-admin/conf/server.xml
I'm not sure about the default CAS keystore, because I didn't install CAS.

Just recently I was trying to install a cert for our wiki at spaces.pcc.edu. Keytool import wasn't working. Despite using the same documented steps for years. When I called Symantec support, they asked me to try installing the PKCS#7 type cert (which contains the cert and the intermediate/bundle) instead of the X.509 type cert and a separate intermediate/bundle file. It worked. They admitted that they were not sure why, but occasionally versions of java / some condition changes, and JKS keystores have a bug and can't complete the certificate chain.