Pre-Requisition
When renewing SSL cert for Tomcat the developer must provide the following information in order for you update or create a new keystore file for the cert.
1. Location of keystore file on the server
2. Password used for keystore file
3. Any Subject Alternate Name (SAN) to be included in the cert request
4. How to restart the software if required.
To make the cert request easier to implement a GUI application can be used instead of using the command line. This mean you don’t need to run the command on the server but create the CSR on your desktop. Install the Keystore Explorer software (kse-522.exe) located in the following location. Once you have the software installed on your desktop follow the instruction to create your keystore.
1. Start Keystore Explorer located on your desktop
2. Click Create a new keystore
3.
4. Select JKS and click OK
5.
6. Click Generate a Key Pair
7.
8. Select the following options and click OK.
9.
10. Click Edit Name
11.
12. Enter your Cert request information and click OK when done
13.
14. The info should look like this. Click OK.
15.
16. If your request has Subject Alternate Name (SAN) See Appendix A at bottom
17. Click OK for Alias Name or change the name if you like.
18.
19. Use same password as your keystore.
20.
21. Click OK
22.
23. Right click on your keystore and select Generate CSR.
24.
25. Select “Add Certificate Extensions to request” if SAN was added. Click OK when done
26.
27. Click File/Save. Save your keystore as “Keystore.jks” Use the same password of the keystore you’re replacing
28. Submit your CSR and Request form to CKM
29. Once you’ve received the SSL cert from CKM import all three cert (Root, Issuing and Server cert)
30. Open your Keystore.jks file and enter the keystore password
31. 
32. Click Import Trusted Certificate
33.
34. Locate your BMO MS Root cert and click Import. Repeat same for BMO MS Issuing cert.
35.
36. Keep default name for Alias, click OK
37.
38. Once completed, it should look like below
39.
40. Right click on Key Pair and click the Import CA Reply/From File
41.
42. Locate your server cert and click Import.
43.
44. Right click on Key Pair/View Details/Certificate Chain Details.
45.
46. You should see something like what’s shown below.
47.
48. If your cert had an Alternate Server Name (SAN), click on Extensions
49.
50. Click Subject Alternate Name to view your SAN name
51.
52. Save your keystore file.
53. To update the keystore file on the server first make a backup of the current keystore file
54. Replace they keystore file with the one you just created. Make sure the keystore file name is EXACTLY the same name as the one you are replacing. If there are no extension on the current file remove the extension on the one you created.
55. Restart application and test.
APPENDIX A
Subject Alternate Name
1. After entering your cert information for your main URL. Click Add Extensions
2.
3. Click the Green plus sign
4.
5. Select Subject Alternate Name from the list, click OK.
6.
7. Click Green Plus Sign
8.
9. Select DNS Name and enter your URL as shown below. Click OK when done
10.
11.
12. If you have Multiple Subject Alternate Name, repeat from Step 7. Once done click OK until you exit this option
13. To confirm your entry right click on Keypair/View Details/Certificate Chain Details
14.
15. Click Extension
16.
17.
18. Generate your CSR starting from step 23 above.