How to replace default, self-signed certificate for WebAccess on Windows servers.

  • 7024178
  • 14-Oct-2019
  • 14-Oct-2019


GroupWise 18


There are two ways of securing apache-tomcat combo on Windows servers. Either you do it natively via securing java (securing tomcat) or via securing web (apache) part. Certificate issued specifically for the apache web cannot be in general use with tomcat. A root cause is that for the apache web server, the openssl tool is used, whilst for securing java, it is the Windows keytool.exe tool located under your java directory.
Some way to get a hint if your certificate given to you by the CA was generated for java would be to preview the certificate. Shall there be listed alias tomcat in the text output, then the certificate was indeed issued for the tomcat/java SSL.
This article describes a way of using PKCS certificate format which you might receive from the CA authority for the Tomcat/java SSL configuration.


Just to verify that the certificate you received from the CA, preview it:

1. Open the DIS command line tool on a Windows server and change to C:\Novell\GroupWise\tomcat\jre\bin. There shall be keytool.exe tool for securing java.

2. Preview your certificate:

keytool.exe -list -storetype pkcs12 -keystore <path to your certificate file>

This would ask for a password. Either it was given to you by the CA authority or it is changeit default password. The output on a screen shall list a tomcat word.

Next we will replace default installed self-signed certificate. Copy the ".keystore" file from C;\Novell\GroupWise\tomcat\conf directory into some other, temp directory where you copied also the CA received certificate.
The default certificate in the ".keystore" file has also alias tomcat, therefore we must first remove that:

keytool.exe -delete -alias tomcat -keystore <path to the .keystore file>

And just to verify that we succeeded, list certificates stored in the ".keystore" file:

keytool.exe -list -v -keystore <path to the .keystore file>

This shall list no certificates now. In the next step we import the PKCS12 formatted cert file into the ".keystore" file:

keytool.exe -importkeystore -v -srckeystore <path to the P12 cert file> -srcstoretype pkcs12 -destkeystore <path to the .keystore file>  -alias tomcat -deststoretype pkcs12

Re-check newly imported PKCS certificate:

keytool.exe -list -v -keystore <path to the .keystore file>

Once we see correct new certificate stored in the ".keystore" file, you can:

1. Stop apache-tomcat service from the Services tool.

2. Go into C:\Novell\GroupWise\Tomcat\cpnf directory and rename default ".keystore" file into old, i.e. ".keystore.old".

3. Copy from the temp directory your new ".keystore" file into the Tomcat`s conf directory and afterwards start apache-tomcat service again.

4. If all worked fine, you could hit your web server site and that shall show HTTPS connection with a padlock icon in front of HTTPS. Inspecting the certificate (padlock icon) would show your just replaced CA certificate.