Renewing an SSL Certificate signed by a Trusted Root Authority

Document created by mike_aronson Employee on Nov 15, 2013Last modified by Adam Arrowsmith on Feb 28, 2017
Version 3Show Document
  • View in full screen mode

See also Generating and Importing an SSL Certificate signed by a Trusted Root Authority

 

You have previously generated and imported an SSL Certificate signed by a Trusted Root Authority and are using it, but it is expiring and needs to be renewed. Please note that this is recommended for more advanced users.

  1. To determine which JRE the Atom is using, go to this directory path: <Atom Install>\.install4j\pref_jre.cfg or inst_jre.cfg (pref_jre.cfg takes precedence)
  2. Locate and backup the cacerts file. It should be in your JAVA_HOME\jre\lib\security\cacerts, where JAVA_HOME is your java home directory for the JVM you're using
    Make a copy of the keystore (optional, but recommended)
  3. Submit your CSR to the Trusted Root Authority (for example, Verisign), and request/download the renewed certificate in PKCS7 format. This will have a public, G3 intermediate, and G5 intermediate certificate all in one certificate. Java must be 1.7 or newer.
  4. Open a command prompt and go to C:\java6\jre\bin\
  5. Replace the certificate file path\name and keystore path\name in this command and run the following command to import the PKCS7 certificate:
    1. keytool -import -alias Boomi -trustcacerts -file c:\Certificates\Boomi\NEWCERTNAME.p7b -keystore c:\Certificates\Boomi\KEYSTORENAME
  6. Replace the new and destination keystore paths/names and passwords (if different from changeit) in this command and run the following command to convert to .p12 format for import into Boomi:
    1. keytool -importkeystore -srckeystore c:\Certificates\Boomi\KEYSTORE -destkeystore c:\Certificates\Boomi\KEYSTORENAME.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass changeit -deststorepass changeit -srcalias Boomi -destalias Boomi -srckeypass changeit -destkeypass changeit -noprompt
  7. In AtomSphere, create a new Certificate Component as X.509 type. (This is preferred and recommended - do not update the existing certificate component that is expiring or copy the existing certificate component that is expiring). Import the new certificate and select the .p12 file created in step 5. Verify that the certificate that was imported is signed by the Trusted Root Authority (e.g. Verisign).
  8. In Build, use the Show Usage feature to find where this certificate is used and select the new Certificate Component and re-deploy the process(es). In Manage, identify the Extensions or Atom Settings where certificate is used and select the new Certificate Component to replace the current one.
  9. Restart the atom and verify that the new Certificate component is being used.

Attachments

    Outcomes