Hello,
I would like to replace the WebServer certificate. But the new certificate for the server is in pem format. but the keytool accepts only crt. How can I still import the certificate into the mykeystore.jks ?
Regards Thomas
Page 1 / 1
Hello
I believe what you are looking for is laid out in the documentation below.
Creating a CA-Signed Certificate for the Tomcat Server
https://documentation.commvault.com/commvault/v11/article?p=50497.htm
“If you need to replace an expired CA-signed certificate, back up the existing keystore and server.xml files, and then delete the existing keystore file before creating the new CA-signed certificate.
…
To generate a CSR, run the following command:
keytool -certreq -keyalg RSA -alias tomcat -file C:\somename.csr -keystore C:\mykeystore.jks -validity <daysValid> -ext SAN=dns:<domainname>”
Once the CSR is generated, you can upload to the CA and submit for signing.
Hi
I have followed these instructions. But I do not need to create a certificate. I already have a new signed certificate which I want to import for the Commvault WebServer. The only problem is that my certificate is output as pem format from our tool xca and I still need to import it somehow.
The root certificate has already been imported and now I need to import the new one for the web server.
Hi
You might need to use OpenSSL command line to convert the .pem to .crt or .pfx (we also accept pfx)
https://www.openssl.org/docs/man1.1.1/man1/openssl-x509.html
openssl x509 -outform der -in your-cert.pem -out your-cert.crtOr you can use XCA to export directly the Certificate in PFX Bundle
https://hohnstaedt.de/xca/index.php/documentation/manual
-
PKCS#12: PKCS#12 structure containing the certificate, the corresponding private key and the chain of all issuers certificates.
That will generate a PFX File that will serve as keystore+certificate bundle all in one
Then in Commvault configure the server.xml
https://documentation.commvault.com/commvault/v11/article?p=50506.htm
Use the .pfx, .p12 or .p7b keystore files and set certificateKeystoreType to PKCS12
Thanks,
Hi
I have now followed the instructions again.
Issued server/domain certificate:keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt
Is the last item where I get an error message. Can anyone tell me what could be the problem here?
C:\Program Files\Commvault\ContentStore\jre\bin>keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\Users\AdminTSA\Desktop\cvcstapp01.eos.lcl.crt
Enter keystore password:
keytool error: java.security.cert.CertificateParsingException: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 49)
Regards
Thomas
Hi
The error message you shared is indicating that there is something missing or incorrect in the provided certificate. That error is somewhat generic, as it could indicate a few potentially different scenarios.
From a troubleshooting perspective, it would be greatly beneficial for us to review the contents of the certificates themselves to determine the best next step rather than shooting from the hip. Rather than uploading your SSL certificates here, I think it would be best for a Support Incident to be opened so that we can review this with you live.
If you can please open a Support ticket, and then update this thread with the TR number we will track the incident so that the underlying cause and solution can be posted here to help others moving forward.
Thank you!
-Brian Bruno
Hey
- Encoding of information in server.xml is not supported by which I mean there is no method that is available within the application itself to accomplish this. This debate has been ongoing for some years between users and apache developers and the current summary is because the software is open source any method to encrypt and decrypt by the application is publicly available in the code and therefore someone who can access the server.xml file can likely decode it. There is no method to encrypt and decode data from the tomcat config files currently in the software itself. Instead the Dev's (Apache not Commvault) consider that instead you would control access to the config files themselves via the operating system.
- There are many examples of this discussion online. The documentation below has some information if needed for reference but you might be able to find something better if needed in apache documentation. https://wiki.apache.org/tomcat/FAQ/Password
Let me know if this answers your question/concern.
Hi
ok then I will adjust the used password for the keystore again. I think then this case can be classified as solved.
Thanks for the quick feedback
Anytime!!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.