The procedure of certificate renewal is mostly similar to the setup of new certificates. The only difference is that old and new certificates should have the same private key so it remains unchanged.
Notice: it's better to create a new JKS file than to patch an existing one.
Headwind MDM (main module)
1. Make sure old and new certificates are compatible with the same private key.
openssl rsa -modulus -noout -in yourdomain.key.pem | openssl md5
(stdin)= 3304b66c905852a0e6e1bd2174db95f0
openssl x509 -modulus -noout -in yourdomain_legacy.crt | openssl md5
(stdin)= 3304b66c905852a0e6e1bd2174db95f0
openssl x509 -modulus -noout -in yourdomain.crt | openssl md5
(stdin)= 3304b66c905852a0e6e1bd2174db95f0
The resulting MD5 hash should be the same for all files
2. Create the new JKS file containing the key and the certificate chain
This procedure is same as for the new certificate creation: https://qa.h-mdm.com/1240/
openssl pkcs12 -export -out yourdomain.p12 -inkey yourdomain.key.pem -in yourdomain.crt -certfile yourdomain.ca_bundle
keytool -importkeystore -destkeystore yourdomain.jks -srckeystore yourdomain.p12 -srcstoretype PKCS12
3. Replace the certificate file and restart Tomcat
cp yourdomain.jks /var/lib/tomcat9/ssl
service tomcat9 restart
After restarting Tomcat, make sure HTTPS is running properly.
journalctl -f -u tomcat9.service
should display the following log entry
Starting ProtocolHandler ["https-openssl-nio-8443"]
Headwind Remote
If you're running Headwind Remote on the same domain, you need to update certificates for this module as well.
1. Check the certificate path in the config.yaml
custom_ssl_cert: "/opt/remote-control/ssl/yourdomain_full_chain.crt"
2. Prepare the "Full chain" file
Important: the domain certificate should go first, before higher level certificates, otherwise Headwind Remote may fail!
cat yourdomain.crt yourdomain.ca_bundle > /opt/remote-control/ssl/yourdomain_full_chain.crt
3. Restart Headwind Remote
cd /opt/remote-control
bash ./install.sh
4. In the case it doesn't work, check the nginx logs for critical errors:
cd /opt/remote-control
docker-compose logs --tail 100 nginx