Replace Webserver certificate

  • 27 July 2021
  • 9 replies

Userlevel 4
Badge +15


I would like to replace the WebServer certificate. But the new certificate for the server is in pem format. but the keytool accepts only crt. How can I still import the certificate into the mykeystore.jks ?

Regards Thomas


Best answer by thomas.S 30 July 2021, 12:43

View original

9 replies

Userlevel 2
Badge +3

Hello @thomas.S,


I believe what you are looking for is laid out in the documentation below.


Creating a CA-Signed Certificate for the Tomcat Server


“If you need to replace an expired CA-signed certificate, back up the existing keystore and server.xml files, and then delete the existing keystore file before creating the new CA-signed certificate.



To generate a CSR, run the following command:

keytool -certreq -keyalg RSA -alias tomcat -file C:\somename.csr -keystore C:\mykeystore.jks -validity <daysValid> -ext SAN=dns:<domainname>”


Once the CSR is generated, you can upload to the CA and submit for signing.

Userlevel 4
Badge +15

Hi @Chuck Graves 

I have followed these instructions. But I do not need to create a certificate. I already have a new signed certificate which I want to import for the Commvault WebServer. The only problem is that my certificate is output as pem format from our tool xca and I still need to import it somehow. 
The root certificate has already been imported and now I need to import the new one for the web server.  


Userlevel 3
Badge +6

Hi @thomas.S 


You might need to use OpenSSL command line to convert the .pem to .crt or .pfx (we also accept pfx)

openssl x509 -outform der -in your-cert.pem -out your-cert.crt

Or you can use XCA to export directly the Certificate in PFX Bundle

  • PKCS#12: PKCS#12 structure containing the certificate, the corresponding private key and the chain of all issuers certificates.

That will generate a PFX File that will serve as keystore+certificate bundle all in one 

Then in Commvault configure the server.xml

Use the .pfx, .p12 or .p7b keystore files and set certificateKeystoreType to PKCS12








Userlevel 4
Badge +15

Hi @Juan Rosas , 

I have now followed the instructions again. 
Issued server/domain certificate:
keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\server_certificate_whatevername.crt
Is the last item where I get an error message. Can anyone tell me what could be the problem here?

C:\Program Files\Commvault\ContentStore\jre\bin>keytool -import -alias tomcat -keystore C:\mykeystore.jks -trustcacerts -file C:\Users\AdminTSA\Desktop\cvcstapp01.eos.lcl.crt

Enter keystore password:

keytool error: ObjectIdentifier() -- data isn't an object ID (tag = 49)



Userlevel 5
Badge +13

Hi @thomas.S,


The error message you shared is indicating that there is something missing or incorrect in the provided certificate.  That error is somewhat generic, as it could indicate a few potentially different scenarios.


From a troubleshooting perspective, it would be greatly beneficial for us to review the contents of the certificates themselves to determine the best next step rather than shooting from the hip.  Rather than uploading your SSL certificates here, I think it would be best for a Support Incident to be opened so that we can review this with you live.


If you can please open a Support ticket, and then update this thread with the TR number we will track the incident so that the underlying cause and solution can be posted here to help others moving forward.


Thank you!


-Brian Bruno

Userlevel 4
Badge +15

@Brian Bruno We have solved the problem. The server.xml now contains the certificateKeystorePassword in plain text. Can I encrypt this as well ?

Userlevel 7
Badge +23

Hey @thomas.S , I found a few incidents internally asking the same question.  Here’s the best written response:

- Encoding of information in server.xml is not supported by which I mean there is no method that is available within the application itself to accomplish this. This debate has been ongoing for some years between users and apache developers and the current summary is because the software is open source any method to encrypt and decrypt by the application is publicly available in the code and therefore someone who can access the server.xml file can likely decode it. There is no method to encrypt and decode data from the tomcat config files currently in the software itself. Instead the Dev's (Apache not Commvault) consider that instead you would control access to the config files themselves via the operating system.

- There are many examples of this discussion online. The documentation below has some information if needed for reference but you might be able to find something better if needed in apache documentation.

Let me know if this answers your question/concern.

Userlevel 4
Badge +15

Hi @Mike Struening , 

ok then I will adjust the used password for the keystore again. I think then this case can be classified as solved.

Thanks for the quick feedback

Userlevel 7
Badge +23