Renewing a certificate for IBM WebSphere or Apache Tomcat is a relatively straightforward process. There are, however, some subtle differences between renewing and installing a fresh certificate that I would like to document here primarily so I make it easier on myself the next time I need to simply renew a certificate. If you are looking for more advanced information please consider these articles on configuring IBM WebSphere for SSL and installing or importing certificates into a WebSphere Trust Store.
If an IBM WebSphere or Apache Tomcat application server is nearing the validation end of their SSL certificates you can follow these steps to ensure that your servers remain secure and your user’s experiences are not interrupted.
IBM WebSphere
Step 1: Backup the existing certificate in case you need to revert.
- Connect to the server where IBM WebSphere HTTP Server is installed. Navigate to the folder [IBM_HTTPServer_Home]\.
- Backup or move the existing SSL certificate to an expired_certs folder Ex: C:\IBM\HTTPServer
Step 2: Copy the new certificate to IBM WebSphere HTTP Server home folder.
- Copy the new Maximo SSL certificate to the [IBM_HTTPServer_Home]\ folder. If you need help requesting a new certificate, please refer to our article configuring IBM WebSphere for SSL.
Step 3: Launch IBM Key Management application to import new certificate
- Launch the IBM Key Management application.
- Click Export/Import button from the right-side button menu.
- Select the Import Key radio button.
- Change the Key file type to PKCS S12 using the drop-down menu.
- Browser to the file name of the certificate that was copied in Step 3
- Click the OK button. Supply the password associated with this certificate.
- Click the OK button.
- Select the label under Select a label to change. In the Enter a new label textbox provide a new label for this certificate.
- Click the OK button.
- Double-click the certificate that was just added with the new label.
- Click the Set the certificate as the default checkbox at the bottom left.
- Click the OK button.
- The certificate that was just added with the new label should now have an * next to its name.
- Click the OK button.
- The certificate that was just added with the new label should now have an * next to its name.
Apache Tomcat
Step 1: Backup the existing certificate in case you need to revert.
- Connect to the server where Apache Tomcat server is installed. Navigate to the folder [Apache_Tomcat_Home]\conf. Ex: C:\Apache\Tomcat\conf
- Backup or move the existing SSL certificate to a certs folder.
- Open the server xml file using a text editor.
Step 2: Edit the server.xml file.
- Locate the section <Connector port=”443” scheme=”https” . Change the name of the certificate if necessary. Update the keystorePass value to the new password for the certificate.
- NOTE: This is an XML document. Consequently, any ampersand or quote characters will need to be replaced. For example, if your password is 1234”& then the value for keystorePass would be keystorePass=”1234"&”
- Save the server xml document and restart the Apache Tomcat service.