Skip to end of metadata
Go to start of metadata


1. Download
( in ssl_util)

2. SFTP to the server you need to install certs on

3. Compile and run
(javac; java InstallCert <hostname>)
This will generate a jssecacerts file in the same folder

4. Run 'locate jssecacerts'

5. Copy the generated jssecacerts to every location listed

6. Bounce tomcat


1. View the location of the keystore, go to tomcat/server.xml and look for the keystore location, example ~/.keystore and note the password that you will need
2. Make a backup of the keystore
cp ~/.keystore ~/keystore.COPY.10.22.2020
3. List the certs in the keystore and find the old one
keytool -list -v -keystore ~/.keystore >> /tmp/certoutput
4. Open the file, look for and confirm it is expired, look for the alias name of that cert so you can remove it
5. Remove the old certificate:
keytool -delete -noprompt -alias -keystore .keystore
6. Download a pem file for the new certificate
openssl s_client -showcerts -connect </dev/null 2>/dev/null|openssl x509 -outform PEM >
6. Import it into your keystore
keytool -import -trustcacerts -alias -file -keystore .keystore
7. List the keystore again to ensure it has the new one
keytool -list -v -keystore ~/.keystore >> /tmp/certoutput-NEW

  • If you need the keystore location and password it is located in tomcat's server.xml config file

Restart tomcat and you are back in business

  • No labels