How to renew an SSL certificate in Denodo
You can translate the document:
Goal
SSL certificates are only valid for a certain duration such as one or several years and expire after that. This document describes how to renew an (soon to be) expired SSL certificate in Denodo for a Denodo installation where SSL is already configured and working but the SSL certificate needs to be renewed. It contains some commands to be executed in a Windows command prompt, for Linux systems you can replace the backslashes with forward slashes to get equivalent commands.
Content
Starting with Denodo 8.0, it is recommended making use of the Denodo TLS Configurator Script, since it simplifies the setup and renewal of the certificate. The idea is to rerun that script whenever you want to use the new certificates.
The script offers several input modes for the configuration:
- Using PEM-Encoded Key and Certificates
- Using a PKCS #12 Bundle
- Using a JKS Keystore and Public Certificates in CER Format
The very first step of renewing your certificate is to obtain the proper certificates. Usually, they are provided by your organization’s system administrator or the security team.
They typically come in different formats and depending on which file formats you have received, you need to use the TLS Configurator Script with slightly different parameters.
Using PEM-Encoded Key and Certificates
This mode is suitable if you have received:
- A PEM-encoded server certificate (typically with extension .pem or .crt or .cer), e.g.:
- server.crt
- A PEM-encoded private key (typically with extension .key):
- server.key
- In most scenarios also PEM-encoded intermediate and root certificates or a certificate chain file, e.g.
- intermediateCA.crt
- rootCA.crt
OR
- chain.crt
In this setup, you can run the TLS Configurator Script with the following parameters (sample values):
denodo_tls_configurator.bat ^ --keystore C:\Denodo\DenodoSolutionManager9\denodo_server_key_store.jks ^ --key-pem-file C:\Denodo\keys\TLS2\server.key ^ --cert-pem-file C:\Denodo\keys\TLS2\server.crt ^ --truststore C:\Denodo\DenodoSolutionManager9\jre\lib\security\cacerts ^ --cert-chain-pem-files C:\Denodo\keys\TLS2\intermediateCA.crt,C:\Denodo\keys\TLS2\rootCA.crt ^ --credentials-file C:\Denodo\keys\TLS\credentials.txt ^ --denodo-home C:\Denodo\DenodoSolutionManager9 ^ --override |
The properties are as follows:
- --keystore: Defines the location where the JKS file is going to be generated.
- --key-pem-file: Path to your .key file.
- --cert-pem-file: Path to your server certificate file (public certificate).
- --truststore: Path to the truststore. Typically in <DENODO_HOME>/jre/lib/security/cacerts
- --cert-chain-pem-files: Path(s) to the intermediate and root certificate. Accepts also a single chain file.
- --credentials-file: Path to the credentials file that contains the encrypted passwords for the keystore and truststore.
- --denodo-home: Path to your Denodo Home directory.
- --override: Overrides previous keystore and truststore files instead of throwing an error in case of conflicts. Creates backups as required for the modified files.
The credentials file that you are going to provide must contain the passwords for the truststore and the keystore in an encrypted way. For that, you need to use the script in DENODO_HOME/bin/encrypt_password .
Note: The default password for the truststore is changeit and for the keystore you need to choose a password.
You should end up with a credentials file similar to this:
truststore.password=vYMnze…tiqesZMEbEDcW4B0A== keystore.password=1mtc2vglT..NAj3KZnGH0paR3+WQ9how== |
Once all the parameters are set, you can run the script. If you get no warnings and only entries with OK as output, the setup is ok and you can restart your server now.
Using a PKCS #12 Bundle
This mode is suitable if you have received:
- A PKCS#12 or PFX bundle that contains the private key, public key and the full certificate chain, e.g.
- bundle.pfx
- The password associated with the bundle file, e.g.
- mysecretpassword
In this setup, you can run the TLS Configurator Script with the following parameters (sample values):
denodo_tls_configurator.bat ^ --pkcs12-file C:\Denodo\keys\TLS3\bundle.pfx ^ --keystore C:\Denodo\DenodoSolutionManager9\denodo_server_key_store.jks ^ --truststore C:\Denodo\DenodoSolutionManager9\jre\lib\security\cacerts ^ --credentials-file C:\Denodo\keys\TLS\credentials.txt ^ --denodo-home C:\Denodo\DenodoSolutionManager9 ^ --override |
The properties are as follows:
- –-pkcs12-file: Path to your PKCS#12 bundle / PFX bundle.
- --keystore: Defines the location where the JKS file is going to be generated.
- --truststore: Path to the truststore. Typically in <DENODO_HOME>/jre/lib/security/cacerts.
- --credentials-file: Path to the credentials file that contains the encrypted passwords for the keystore, truststore and pkcs12 bundle.
- --denodo-home: Path to your Denodo Home directory.
- --override: Overrides previous keystore and truststore files instead of throwing an error in case of conflicts. Creates backups as required for the modified files.
The credentials file that you are going to provide must contain the passwords for the truststore, the keystore and the pfx bundle in an encrypted way. For that, you need to use the script in DENODO_HOME/bin/encrypt_password.
Note: The default password for the truststore is changeit and for the keystore password you need to choose a password. The pkcs12bundle password must be already known to you to continue.
You should end up with a credentials file similar to this:
truststore.password=vYMnze…tiqesZMEbEDcW4B0A== keystore.password=1mtc2vglT..NAj3KZnGH0paR3+WQ9how== pkcs12bundle.password=xaIQ96xBQ..qx9u2E8RCejcxvFu1bKkyH4Tch8dcJvL4Rqzmvbk |
Once all the parameters are set, you can run the script. If you get no warnings and only entries with OK as output, the setup is ok and you can restart your server now.
Using a JKS Keystore and Public Certificates in CER Format
This mode is suitable if you want to reuse the keystore and certificates from a previous installation. In the context of renewing a SSL certificate, this mode is not recommended, but instead one of two other two methods presented above.
Additional Notes
If the certificate authority (CA) has changed as part of that renewal, you need to make sure that the client applications connecting to your server have that respective root CA imported in their truststore.
References
Denodo SSL/TLS Configurator Script
Obtaining and Installing an SSL/TLS Certificate
The information provided in the Denodo Knowledge Base is intended to assist our users in advanced uses of Denodo. Please note that the results from the application of processes and configurations detailed in these documents may vary depending on your specific environment. Use them at your own discretion.
For an official guide of supported features, please refer to the User Manuals. For questions on critical systems or complex environments we recommend you to contact your Denodo Customer Success Manager.
Recommended resources Recommendations generated by AI
Questions
