AnsweredAssumed Answered

Changeing SSL cert - problems.

Question asked by tonybarrett on Feb 12, 2015
Latest reply on Feb 12, 2015 by tonybarrett
We have an installation of Alfresco 4.2d running on CentOS linux. Since installation, we've been using the self-signed SSL certificate that was created during installation, and this has worked ok. We now need to switch this certificate to a publically signed one from our preferred CA.

I've generated the CSR, and have a certificate from our CA based on this - all good so far.

The problem I have is trying to get Tomcat to recognize and use this new certificate for SSL access. I've tried everything - and while using keytool isn't the most intutive method, I have managed to get the new cert installed into the ssl.keystore, along with the CA signing cert. This all looks ok. I've also managed to create the P12 cert, which is assume is for browser access. All this looks ok, but on restarting Alfresco, I've observed the following;

Initially, I'd see the new cert, but it showed that it was signed by itself, with a validity period of only 1 day.
Another change broke everything completely, despite settings looking ok - Alfresco started ok, but I got no SSL response at all.

Currently, it's still broken with no access. I don't know why it's so difficult, but all the docs I've seen and followed just deal with using self-signed certs, and not a public one (although the concept shouldn't be too different).

Questions;

Do I need to use the 'ssl.repo' and 'alfrescoca' aliases for certs imported into the keystore, or can they be anything?
What is the difference between ssl.keystore and ssl.truststore? Do I need the certs in both?
Is browser.p12 actually used during client connectivity, or are the certs pulled from the keystores?

Please don't recommend using Apache as the front end (although if I'd have known at the beginning I might have done this). I just need to get this new cert installed and get Tomcat to use it.

Outcomes