We will start step by step and to the end, we will show full code. We will get in mind that you have followed our previous tutorial on how to install SSL and we are making this script compatible with it.
First of all, you want to create one file in which we will write the script. Let's call it renewSSL.sh.
First, we will need to remove our CSR and PEM files.
- sudo rm *.pem
- sudo rm *.csr
You can use it with full path as well, which is better solution
- sudo rm /usr/share/ssl/*.pem
- sudo rm /usr/share/ssl/*.csr
Next think what you need to do it to stop tomcat with your script and wait 30 sec
- sudo sh /usr/share/tomcat/bin/shutdown.sh
- sleep 30
Now we need to delete our keystore file, we will create new one later
- sudo rm /usr/share/ssl/*.keystore
Since we have deleted our keystore we need to recreate it, use the following command for that, keep in mind that we are making new file server.keystore
sudo keytool -genkey -noprompt -alias tomcat -dname "CN=$1, OU=NA, O=NA, L=NA, S=NA, C=NA" -keystore /usr/share/ssl/server.keystore -storepass $2 -KeySize 2048 -keypass $2 -keyalg RSA
sudo keytool -list -keystore /usr/share/ssl/server.keystore -v -storepass $2 > key.check
What is next ? We need to build the CSS and we are using following command for that. This will create us new csr with name request.csr
- sudo keytool -certreq -alias tomcat -file request.csr -keystore /usr/share/ssl/server.keystore -storepass $2
Now is time to request certificate. This command will create one new file 0001_chain.pem
sudo certbot certonly --csr ./request.csr --standalone
We have our certificate now, at first time you can check logs to be sure about that. Now we need to import certificate in our keystore. We are using following command for that
sudo keytool -import -trustcacerts -alias tomcat -file 0001_chain.pem -keystore /usr/share/ssl/server.keystore -storepass $2
At the end start the tomcat
- sudo sh /usr/share/tomcat/bin/startup.sh
The script is ready to use, you can use it with the following command, first make sure that you have permissions to execute the script.
- sudo chmod -x renewSSL.sh
- sudo sh renewSSL.sh domain.com password
Keep in mind that you need to change domain.com
with the domain for which you want to request SSL and password
as well. Password need to be same as in server.xml configuration.
The last think which we need to do it so this script will have sense and work is to create cron job, use to following command to create cron job.
- crontab -e
- 30 03 01 */3 * sh /usr/share/ssl/renewSSL.sh example.com password >> /usr/share/ssl/sslLogs.log