Last update: 8 March 2018
This how-to describes what must be done to renew your Liferay Portal Certificates.
SSLCertificateFile /var/opt/fabasoft/instances/WebService_103/servercert.pem
SSLCertificateKeyFile /var/opt/fabasoft/instances/WebService_103/serverkeynodes.pem
SSLCACertificateFile /var/opt/fabasoft/instances/WebService_103/cacert.pem
This is the path where the certificates for the eServices are stored. The new certificates have to be placed in this folders.
Following statements are necessary to create a Certificate Authority, the dedicated keys, requests and certificates.
openssl req -config -new -keyout .pem -out .pem -passout "pass:" -batch
openssl ca -config -subj "" -out .pem -days -batch -keyfile .pem -selfsign -passin "pass:" -infiles .pem
subj could possibly look like this: "/C=AT/ST=Upper Austria/L=Linz/O=Fabasoft AG/CN=Fabasoft Local eService CA"
openssl pkcs12 -export -in .pem -inkey .pem -out .p12 -name "CaCertificate" -passin "pass:" -passout "pass:"
openssl x509 -in .pem -out .cer -outform DER
This certificate has to be available on the webservice.
openssl req -config -new -keyout .pem -out .pem -subj "" -passout "pass:" -days -batch
subj could possibly look like this: "/CN=servicedesktest.support.fabasoft.local"
openssl ca -config -policy policy_anything -out .pem -batch -infiles .pem
openssl rsa -in .pem -out .pem
Stop all Fabasoft Folio WebServices. In order to use the created certificates copy them to the right file system locations (noted at the beginnning). Make sure all certificates and keys have the same permissions as the originals had.
Important: It is necessary that the CN of the liferay certificate is a loginstring of the Liferay Service User in the Fabasoft Folio installation.
openssl req -config -new -keyout .pem -out .pem -subj "" -passout "pass:" -days -batch
subj could possibly look like this: "/CN=liferaysvc"
openssl ca -config -policy policy_anything -out .pem -batch -infiles .pem
openssl rsa -in .pem -out .pem
openssl pkcs12 -export -in .pem -inkey .pem -out keystore.p12 -name "CaCertificate" -passin "pass:" -passout "pass:"
keytool -import -trustcacerts -alias "" -file cacert.cer -keystore truststore.jks -noprompt -storepass
alias could possibly look like this: "Fabasoft Local eService CA"
To exchange the truststore and the liferay service user certificate two files have to be edited and the generated files have to be copied to the tomcat directory (webapps/ROOT/WEB-INF/certs).
In the following two files the passwords for the truststore and the keystore have to be edited:
Liferay can now be started. In order to get fully functionally portlets these portlets have to be instanced newly, so that the new certificates are choosen.