Drat ... missed the list Martin
Thank you for your comprehensive reply ... actually all I was asking was 'is it possible to use an existing keystore (and therefor an existing private key)' to install a new certification chain' In the end I created a brand new keystore, generated a new private key and CSR, submitted the CSR to Comodo then installed the new chain when it arrived. Then I simply switched the server (../conf/server.xml) to look at the new keystore and it just worked. Result. Ii was under the impression the certs were 'installed' in the keystore but I don't think this is right so now I have to figure out where they are as I'd like to remove the old ones. Every time I mess about with this SSL/TLS stuff I age several years :-) Thanks again On 4 April 2017 at 22:21, Martin Gainty <mgai...@hotmail.com> wrote: > I dont know who from the list said you could replace a valid SSL > Certificate (that has since expired) > > with a self-signed but they are wrong > > > you are MUCH better off by purchasing a valid Thawte/Verisign Certificate > with public keys signed by a Certificate Authority which will be recognised by > ALL browsers > > > Mucking around with create-your-own self-signed certs will lead you to > justifiable grief and aggravation > > First step is to create a CSR for X509 (named)certs embedded in pfx > > https://en.wikipedia.org/wiki/X.509 > X.509 - Wikipedia <https://en.wikipedia.org/wiki/X.509> > en.wikipedia.org > In cryptography, X.509 is a standard that defines the format of public key > certificates. X.509 certificates are used in many Internet protocols, > including TLS/SSL ... > > the pfx will contain Asymmetric private/public keys: > > https://www.ciphercloud.com/blog/cloud-information- > protection-symmetric-vs-asymmetric-encryption/ > > <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/> > Symmetric vs. Asymmetric Encryption | CipherCloud > <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/> > www.ciphercloud.com > One of the basic questions in considering encryption is to understand the > differences between symmetric and asymmetric encryption methods, and where > to apply each ... > > first step is to send the CSR to your CA provider Verisign or Thawte > > https://knowledge.symantec.com/support/ssl-certificates- > support/index?page=content&actp=CROSSLINK&id=INFO227 > Certificate Signing Request (CSR) Generation Instructions ... > <https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=INFO227> > knowledge.symantec.com > To generate a CSR, you will need to create a key pair for your server. > These two items are a digital certificate key pair and cannot be separated. > > > > yes you can create self-signed certs but CHROME stops transmission when > they do not recognise certifying authority > https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/ > com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html > Configuring a browser to work with self-signed certificates > <https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html> > www.ibm.com > When self-signed certificates are installed on the server, configure > Internet Explorer or Mozilla Firefox to work with these self-signed > certificates. > > > Let me know if you need further assistance > > Martin > ______________________________________________ > > _____ _ _____ _ _____ ___ _ > _____ _ _ _ |_ _| |_ ___ | _ |___ > ___ ___| |_ ___ | __|___| _| |_ _ _ _ ___ ___ ___ | __|___ _ _ ___ > _| |___| |_|_|___ ___ | | | | -_| | | . | .'| _| | -_| |__ | > . | _| _| | | | .'| _| -_| | __| . | | | | . | .'| _| | . | | > |_| |_|_|___| |__|__| _|__,|___|_|_|___| |_____|___|_| |_| |_____|__,|_| > |___| |__| |___|___|_|_|___|__,|_| |_|___|_|_| |_| > > > > > ------------------------------ > *From:* Lyallex <lyal...@gmail.com> > *Sent:* Tuesday, April 4, 2017 3:11 PM > *To:* Tomcat Users List > *Subject:* renewing an ssl certificate > > Tomcatters > > After some sterling support from this list a while ago which included > a code change I have been successfully running > Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for > a year now without problems, it just works, it never falls over > and it has withstood some concerted attacks by all sorts of > scallywags. Impressive. > > It is now time to renew my ssl certificate and I'm getting a bit jumpy. > > I managed to get everything working first time around following the docs at > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html# > General_Tips_on_Running_SSL > Apache Tomcat 7 (7.0.76) - SSL/TLS Configuration HOW-TO > <http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on_Running_SSL> > tomcat.apache.org > Certificates: In order to implement SSL, a web server must have an > associated Certificate for each external interface (IP address) that > accepts secure connections. > > > > According to my service provider (comodo) I have to submit a new > certificate signing request which (I think) means creating a self > signed certificate. > Will this mess up me existing cert, it still has 10 days to go? > > Is the process the same as installing first time or are there some > gotchas I need to be aware of > > Thanks, nervously > Lyallex > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >