The procedure of certificate renewal is mostly similar to the setup of new certificates. The only difference is that old and new certificates should have the same private key so it remains unchanged.
Notice: it's better to create a new JKS file than to patch an existing one.
Headwind MDM (main module)
1. Make sure old and new certificates are compatible with the same private key.
openssl rsa -modulus -noout -in yourdomain.key.pem | openssl md5
openssl x509 -modulus -noout -in yourdomain_legacy.crt | openssl md5
openssl x509 -modulus -noout -in yourdomain.crt | openssl md5
The resulting MD5 hash should be the same for all files
2. Create the new JKS file containing the key and the certificate chain
This procedure is same as for the new certificate creation: https://qa.h-mdm.com/1240/
openssl pkcs12 -export -out yourdomain.p12 -inkey yourdomain.key.pem -in yourdomain.crt -certfile yourdomain.ca_bundle
keytool -importkeystore -destkeystore yourdomain.jks -srckeystore yourdomain.p12 -srcstoretype PKCS12
3. Replace the certificate file and restart Tomcat
cp yourdomain.jks /var/lib/tomcat9/ssl
service tomcat9 restart
After restarting Tomcat, make sure HTTPS is running properly.
journalctl -f -u tomcat9.service
should display the following log entry
Starting ProtocolHandler ["https-openssl-nio-8443"]
If you're running Headwind Remote on the same domain, you need to update certificates for this module as well.
1. Check the certificate path in the config.yaml
2. Prepare the "Full chain" file
Important: the domain certificate should go first, before higher level certificates, otherwise Headwind Remote may fail!
cat yourdomain.crt yourdomain.ca_bundle > /opt/remote-control/ssl/yourdomain_full_chain.crt
3. Restart Headwind Remote
4. In the case it doesn't work, check the nginx logs for critical errors:
docker-compose logs --tail 100 nginx