Updating an Expired Certificate

The steps to renew an expired or soon-to-expire certificate are similar to those for replacing the default certificate, as documented in Create a Certificate and Generate a CSR. To update the expired certificate:

  1. Back up the existing keystore.
  2. At a command prompt, change directories to the following location:
    <controller_home>/appserver/jetty/etc/
  3. Create a backup of the keystore file.
    1. On Linux, you can run the following command:
      cp keystore.jks keystore.jks.backup
    2. On Windows, you can use the copy command in a similar manner. If the controller is still running, stop the controller.
  4. Since you already have a Java keystore, run the following command to issue a certificate signing request. You should use this keystore for the csr not create a new one. You will be importing the new certificate into this keystore.
    keytool -certreq -alias s1as -keystore keystore.jks -file AppDynamics.csr
  5. Submit the certificate signing request file Appdynamics.csr generated by the above example command to your Certificate Authority of choice.
    1. When it's ready, the Certificate Authority will return the signed certificate and any root and intermediary certificates required for the trust chain.
    2. The response from the Certificate Authority should include instructions for importing the certificate if needed.

      If the Certificate Authority supplies the certificate in text format, copy and paste the text into a text file.

  6. You can list out the obtained certificate as follows if it is not in text format.
    keytool -printcert -v -file <your obtained certificate>
  7. Import the signed certificate obtained into the keystore that you already have.
    keytool -import -alias s1as -file <your obtained certificate> -keystore keystore.jks
    1. The imported certificate will replace the old one, provided you use the same alias as the previous one.
    2. Sometimes the root and intermediate certificates of the certification authority are also expired. If that's the case, you will see the message Failed to establish chain from reply.
  8. If the root and intermediate certificates of the certification authority are expired, they also have to be imported in your cacerts.jks so that the chain of trust can be established. You can follow your certification authority's instructions to download the root and intermediate certificates.
    1. Keep the same alias as before for root and intermediate when you import these certificates into cacerts.jks
      keytool -import -alias <previous alias used for the certificate> -file <path_to_root_or_intermediate_cert> -keystore <Controller_home>/appserver/jetty/etc/cacerts.jks