Updating the HTTPS Certificate

To obtain a new HTTPS certificate from the CA, a certificate request must be issued. You must record all steps executed and their output into a file called cert.https.log for tracking purpose.

Note:
  • The commands listed here are only examples and do not include all the options that the keytool program offers. Careful consideration should be taken when generating your key pair for your environment. Consult with your web administrator.
  • Each certificate requires a separate keystore.
  • The CA may have specific options required for creating an HTTPS certificate. Review the instructions provided by the CA before generating the certificate request.

Procedure

  1. To generate a Java keystore and key pair where the certificate would be considered valid for 365 days, you can issue the following example command: 
    keytool –genkey –v –alias cfcc –keyalg RSA –keysize 2048 –keypass 
changeit –keystore MFTIS_Install\keystore\newkeystore.jks -storepass 
changeit –validity 365
    The keytool utility will then display messages requesting more information about the certificate request. The most important information to enter is when the keytool utility asks What is your first and last name. You must enter the DNS name that is used to access TIBCO MFT Internet Server. This is used as the common name (CN) in the certificate; HTTPS requires CN to match the DNS name used to access the HTTPS server. For example, mft.yourcompany.com

    In the example command above, the keypass and storepass values are the same. These two passwords must match each other. It is good practice to use the same keystore and storepass password to create the original keystore. This way you will not have to update the keystore password in the product configuration files.

  2. Generate a certificate request.
    You can issue the following example command: 
    keytool –v –certreq –alias cfcc –file MFTIS_Install\keystore\cfcc.csr –
keypass changeit –keystore MFTIS_Install\keystore\newkeystore.jks -
storepass changeit
  3. Submit the certificate request file created in the above command to the CA.
  4. Install the CA certificate into the TIBCO MFT Internet Server keystore.
    1. Save the certificate returned by the CA to a file Cert_File.
    2. Execute the following keytool command to import the certificate. 
      keytool –v –import –alias cfcc -trustcacerts –file Cert_File -
keystore Keystore_File_Name
    Note: Some CAs now issue an intermediate certificate along with the main certificate. If this is true for your CA, then import certificates using unique aliases to the keystore created in Step 1. This is to prevent the client from receiving a certificate warning.
  5. To update TIBCO MFT Internet Server to use the new keystore, change the keystore path of the file located in the MFTIS_Install\server\conf\server.xml directory.
    You can rename your old keystore file, for example: org.keystore.jks, and then rename the new keystore to have the old file name in the same location and then no changes are needed to the server.xml file and you can go to Step 6.
    1. Look for the connector associated with the HTTPS port.
    2. Update the keystoreFile parameter to point to the new keystore.
    3. If the password has changed, update the keystorePass parameter with the new keystore password.
  6. Stop and restart TIBCO MFT Internet Server.
  7. Verify TIBCO MFT Internet Server is listening on the defined port.
  8. Perform a file transfer to verify TIBCO MFT Internet Server is functioning correctly.