Updating Apache SSL certificate

By: Todd Higgins user 08 Dec 2020 at 3:24 p.m. CST

2 Responses
Todd Higgins gravatar
I am reviewing the documentation found [here](https://gluu.org/docs/gluu-server/3.0.2/admin-guide/certificate/) for updating the Apache certificate. It seems straight forward enough but I think we ran into issues when the last certificate was installed in 2017 so if others could just check my steps that would be appreciated. * I am going to use openssl to generate new private key and CSR which I will have signed by our vendor (InCommon/Sectigo) * Rename the new key and signed certificate to match the settings in` /etc/httpd/conf.d/ https_gluu.conf `file. * Update the Intermediate Certificates file with the new intermediates file . (InCommon has 2 intermediates, plus the root) * Convert the new httpd.crt into a httpd.der file using the command listed in the documentation and then import that new file into the java keystore (again using the commands listed) * Restart the listed services **Some Questions** * Why do I need to include this certificate in the keystore? * Do I have to worry about the java keystore not having the intermediate certs? * I assume I can update all the needed files at the same time and restart the services once. ( The instructions have the intermediate certificate info listed after you have restarted the services) Thanks, Todd
CentOS 6.8
closed

Answers

By Aliaksandr Samuseu staff 08 Dec 2020 at 5:59 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Todd. 3.0.2 reached its EOL long ago, I'm not sure we can keep supporting it under Community Support, sorry. But, from the top of my head, here are the answers: 1. You need to add them to keystore as different Gluu component cross-talk to each other by accessing their APIs. and these requests pass through Apache front-end - and thus Apache's cert needs to be trusted by Java 2. If Apache's certificate isn't in the Java's store, and it's a, say, self-signed certificate, Java may refuse to establish SSL connection to Apache. If you'll be using a certificate signed by a proper trusted CA, you may not need this step - but I would still add it there, nevertheless, just in case. It's hard to recall for me how exactly everything was configured back in the days, it's been a while 3. Yes, you can update everything in one go, then start the services all at once Hope this helps.

By Todd Higgins user 09 Dec 2020 at 12:25 p.m. CST

Copy
Todd Higgins gravatar
Hi Alik, Thanks for your response! My plan was to have this server upgraded before it came time to renew the SSL certificate, but then COVID happened and our plans were smashed to bits! The process for updating the Apache Certificate on my version (3.0.2) seems to be similar to the updating process for 4.1. I will follow the instructions as listed and let you know how I make out! Todd

Post an answer