You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Antonio Fiol Bonnín <fi...@terra.es> on 2004/02/25 08:00:03 UTC

Re: Rollover Web Certificate

paul.spinelli@notes.tcs.treas.gov wrote:

>Wondering if anybody has experienced a web cert expiring in their keystore. If
>so, I was wondering how you go about replacing it without bringing down the
>server. Can you simply create a new certificate (in a different keystore, I'd
>imagine) then get it signed via the CSR, then import the new one into the
>original keystore, overwriting the current about-to-expire certificate? I don't
>think this would work though because the private keys would be different in the
>two keystores. So you'd have to do this whole process in a new keystore and then
>bounce Tomcat and have it point to the new keystore.
>  
>

When you renew a certificate, you are supposed to use the same private 
key you used the first time.
  -- Google: SSL Certificates HOWTO.

Other than that, is it so bad to restart a server? I'd bet the keystore 
is only read at the connector init, and not re-read later. But I have 
not seen the code, so maybe someone will correct this.


Antonio Fiol