SSL certificates are only valid for a certain duration such as one or several years and expire after that. This document describes how to renew an expired SSL certificate in Denodo for a Denodo installation where SSL is already configured and working but the SSL certificate needs to be renewed. It contains some commands to be executed in a Windows command prompt, for Linux systems you can replace the backslashes with forward slashes to get equivalent commands.
In short the steps to renew the certificate will be:
Step 1: Preparation
Before starting, you should do the following actions:
If you are unsure and want to verify the keystore password, execute the following command and provide the password, depending on the response you will know if it is the correct password.
.\jre\bin\keytool -list -keystore denodo_server_key_store_old.jks
These preparation steps are needed as we will reuse the jks file location, file name and keystore password to create our new keystore file. The benefit of doing this is that you will not need to modify any configuration file in the Denodo Platform installation. The values set for the keystore location and password in the different configuration files will be already valid as they are the same as before.
Step 2: Generate a keypair and obtain the public certificate
In this step, we will need to obtain and install the new SSL certificate. This could be obtained in different ways and is explained in detail in the documentation section Obtaining and Installing an SSL/TLS Certificate.
When following these steps, make sure that you use the same values as obtained in the first step above. Keep in mind the following important information:
Once you have obtained the public certificate you can proceed with the next step.
Step 3: Importing the public certificate into the truststore of the Denodo installation
After you obtain the public certificate (denodo_server_public_key.cer) you need to import it into the truststore of the Denodo installation. By default, this is set to <DENODO_HOME>\jre\lib\security\cacerts.
The command for importing the certificate under a specific alias is the following:
.\jre\bin\keytool -importcert -alias denodo-server-self-signed -file denodo_server_public_key.cer -cacerts -storepass "changeit" -noprompt
If you are using the same alias name as the first time you configured SSL, you need to remove the previous alias from the truststore. However, you can also just provide a different alias name.
If the alias already exists you will see the following error message:
keytool error: java.lang.Exception: Certificate not imported, alias <denodo-server-self-signed> already exists
To remove any specific alias, execute the following command (replace the alias name and <DENODO_HOME> with the appropriate values):
.\jre\bin\keytool -delete -alias denodo-server-self-signed -keystore <DENODO_HOME>\jre\lib\security\cacerts -storepass "changeit"
After you have deleted the previous alias (only if it was required), you can proceed to import the new certificate with the same alias name.
Step 4: Importing the public certificate into the truststore of clients
Once you have imported the certificate into the truststore of the Denodo Platform installation, you also need to import it to any other relevant truststores. For example, if you are connecting from a Virtual DataPort Administration Tool that is running on a different machine, the certificate must be imported into its truststore to be able to connect. Keep in mind that if this Denodo Platform installation is accessed by the Solution Manager Server (for creating and deploying revisions), it is required to import the certificate also in the Solution Managers truststore as it will function as a client.
You can review the documentation section for more details: