Updating cacerts

The Web Interface site creation tool copies the server certificate and all chain certificates to the Java Key Store.

In certain scenarios, such as updating the server certificate after the initial web site creation or a change in the root or intermediate certificate, the Java Key Store might become out of synchronization and not trust the necessary certificates.

Also make sure your server clock has the correct time.

I recently helped someone that was having this issue and it was due to a hosts file entry pointing to an old server, once the certificate expired it started causing a problem, but it was not clear because it worked everywhere except for the server in question.

These days must CA's use an intermediate certificate, so they sign a sub CA certificate which then signs certificates for their customers.

This approach allows the CA to revoke an intermediate certificate if it becomes compromised but they can just generate a new intermediate off the very valuable root certificate. is really good at debugging, and explaining in more detail.

Viewing the logs at /var/wi/tomcat/logs/log shows SSL trust errors.

Before we get into all the details I'll start off by saying that the old advice to import the domain's certificate into cacerts is almost always the keystore file you are telling java that this certificate is a trusted certificate authority.

A certificate authority is allowed to sign certificates for any domain and java may then trust those certificates.

Further as trusted CA certs become compromised they are revoked and should be removed from the cacerts file, the entire system of trust gets eroded if this file is not kept up to date.

Test Other HTTP Clients Before you get too far down the rabbit hole you should make sure that you are indeed dealing with a java problem.

Leave a Reply