Updating HTTPS Certificate

To obtain a new HTTPS certificate from CA, a certificate request must be issued. You must record all steps executed and their output into the cert.https.log file for tracking.

Note:

Pay attention to the following points:

  • The commands listed here are only examples and do not include all the options that the keytool program offers. Careful consideration must be taken when generating your key pair for your environment. Consult with your web Administrator.
  • Each certificate requires a separate keystore.

  • CA might have specific options required for creating an HTTPS certificate. Review the instructions provided by the CA before generating the certificate request.

Procedure

  1. Issue the following sample command to generate a Java keystore and key pair where the certificate will be considered valid for 365 days: 
    keytool –genkey –v –alias cfcc –keyalg RSA –keysize 2048 –keypass
changeit –keystore MFTIS_Install\keystore\newkeystore.jks -storepass
changeit –validity 365

    In the sample command, the keypass and storepass values are the same. These two values must match each other. It is good practice to use the same keystore and storepass values that are used to create the original keystore. This way you will not have to update the keystore password in the product configuration files.

    The keytool utility will display messages requesting more information about the certificate request. When the keytool utility prompts What is your first and last name. You must enter the DNS name that is used to access TIBCO MFT Command Center. For example, you can enter mft.yourcompany.com as the DNS name. This DNS name is used as the Common Name (CN) in the certificate. HTTPS requires CN to match the DNS name used to access the HTTPS server.

  2. Generate a certificate request.

    You can use the following sample command: 

    keytool –v –certreq –alias cfcc –file MFTIS_Install\keystore\cfcc.csr –
keypass changeit –keystore MFTIS_Install\keystore\newkeystore.jks -
storepass changeit
  3. Submit the certificate request file created in the previous sample command to CA.
  4. Install the CA certificate into the TIBCO MFT Command Center keystore by performing the following steps:
    1. Save the certificate returned by the CA to a file Cert_File.
    2. Run the following keytool command to import the certificate: 
      keytool –v –import –alias cfcc -trustcacerts –file Cert_File -keystore
 Keystore_File_Name
      Note: Some CAs now issue an intermediate certificate along with the main certificate. If this is true for your CA, import certificates using unique aliases to the keystore created in Step 1. This step is required to prevent the client from receiving a certificate warning.
  5. Navigate to the MFTCC_Install\server\conf directory and change the keystore path in the server.xml file to update the MFT server to use the new keystore.
    1. Look for the connector associated with the HTTPS port.
    2. Update the keystoreFile parameter to point to the new keystore.
    3. If the password is changed, update the keystorePass parameter with the new keystore password.
    Note: You can rename your old keystore file, for example, org.keystore.jks. And then rename the new keystore to have the old file name in the same location. This way no changes are needed to the server.xml file which is located in the MFTCC_Install\server\conf directory, and then you can go to Step 6.
  6. Stop and start TIBCO MFT Command Center.
  7. Verify that the MFT server is listening on the defined port.
  8. Perform a file transfer to verify that TIBCO MFT Command Center is functioning correctly.