0

I've made an error and I can't figure out how to reverse.

I configured Tomcat to use HTTPS firstly tested successfully using a self signed certificate using keytool.

I then generated a CSR which was sent to a Certificate Authority and I received a set of 4 certificates.

I installed this chain of certificates successfully but I forgot to delete the self signed certificate first and the server failed a security scan.

Based on advice, I then tried to delete the self signed and reinstall the CA certificates but I'm no longer getting the correct response from keytool "Certificate reply was installed in keystore" - it's simply responding with "Certificate added to Keystore"

I'm assuming the CSR has had its response already so is there a way of reinstalling these certificates without generating a new CSR and paying for new certificates?

eggwater
  • 152
  • 10

1 Answers1

1

If you have created your CSR via keytool in a keystore, it generated a self-signed certificate (at least for temporary use) in that entry at the same time. Don't delete the entry for that certificate, since it also contains the private key, which you'll need to use in conjunction with the certificate you obtained.

When you import a certificate that was issued to you in that keystore, to replace the self-signed certificate and to associate it with the private key used for the CSR, you need to import it back against the correct alias, perhaps with the chain, as described in this answer.

Community
  • 1
  • 1
Bruno
  • 119,590
  • 31
  • 270
  • 376
  • I deleted the alias that was given to self signed cert. I think I f*&ked up. – eggwater Aug 16 '12 at 11:35
  • Sounds like a backup would have been appropriate... A number of CAs will let you re-apply with a new CSR to issue a new cert without extra fee during the time validity of the initial cert. Check with them. – Bruno Aug 16 '12 at 11:40
  • backup yes :-( Hopefully I can send a new CSR without charge. My next question is: Does the self cert need to be removed prior to CA cert installation as I've been told? Can I re-import the CA certificate? I configured two servers at once after testing and thought they were correct. It was the security scan that suggested that the self signed certificate was still being used. When I checked back I didn't use the `-trustcacerts` command when I imported the CA cert. I'm rambling a bit now but is there anyway of modifying the previously imported CA cert to be trustedCA, using keytool? – eggwater Aug 16 '12 at 11:53
  • You should be able to re-import the server cert directly. You seem to be confusing keystore and truststore. You'll need to import the cert and its intermediate CA certs *in a chain* (see answer I've linked to) for your server cert, but that for the keystore. The `-trustcacerts` option is more relevant for a truststore. – Bruno Aug 16 '12 at 12:00
  • Thanks Bruno. I did import them in a chain. Everything worked fine until some obligatory security scan suggested that the self signed was still in the system and flagged some errors. Instructions from the CA provider said use `-trustcacerts` – eggwater Aug 16 '12 at 12:06
  • Not sure what the context was from that CA (any link?). What kind of security scan are you performing? – Bruno Aug 16 '12 at 14:40