Updated SSL certificate but browser still shows as invalid
Running GlassFish 3.1.1 (build 12) on Amazon Linux.
The app has been running for 3 years without an issue, but now I need to update the SSL certificate.
My research included the following web sites:
In my existing keystore I have:
$ /usr/java/jdk1.7.0_01/bin/keytool -list -keystore keystore.jks
Enter keystore password: changeit
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 6 entries
root, Mar 15, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): 27:96:BA........:20:EE:E4
glassfish-instance, Aug 5, 2011, PrivateKeyEntry,
Certificate fingerprint (SHA1): CD:ED:ED.......:F2:52:99
app, Mar 15, 2012, PrivateKeyEntry,
Certificate fingerprint (SHA1): D2:91:C9........:54:03:0A
intermed, Mar 15, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): 7C:46:56..........:11:FC:44
s1as, Aug 5, 2011, PrivateKeyEntry,
Certificate fingerprint (SHA1): 93:89:A1........:E0:22:3E
cross, Mar 15, 2012, trustedCertEntry,
Certificate fingerprint (SHA1): DE:70:F4:........:3B:2C:62
In the Glassfish "server-config" listerner-2 section the SSL tab shows alias "app" and keystore is "keystore.jks".
I applied to GoDaddy for the replacement certificate, and after going through the verification process received a zip file containing:
I deleted the existimg "app" alias from the keystore:
/usr/java/jdk1.7.0_01/bin/keytool -delete -alias app -keystore keystore.jks.test
Then added the new certificate to teh same alias:
/usr/java/jdk1.7.0_01/bin/keytool -import -alias app -keystore keystore.jks.test -trustcacerts -file 71.......8c4.crt
I then restarted GlassFish.
Then I navigated to the SSL site on my browser but got the same Invalid Certificate warning.
When I use the browsers "View Certificate" option and look at the "Thumbprint" the hex key matches the old "app" key from the keystore, i.e. GlassFish doesn't seem to be picking up the new keystore.