Do replacing the existing default ssl certificate effect the current application in PROD
Hi,
We have CLM 5.01 recently got migrated to use WAS instead of Apache Tomcat. Currently the web browser exception is handled manually.
When it comes to importing a signed certificate, during the final stage we will have to delete the default certificate following the below URL.
Replace the old one with new one
My question is
1. Does playing with certificate effect my current working application ?
2. Do we need to take the system backup.
3. Here based on what we have seen earlier was to replace the default one with the new signed one.
4. If the new signed one do not work as expected after deleting the default one does it cause any issue ?
2 answers
yes, there is only one certificate on an endpoint.
so, if you get it wrong, the users after that will get the certificate error warning, until you supply a new certificate.
backup,.. thats up to you.. never really a bad option, but if the current cert is bad, then you would restore to that state.
so, if you get it wrong, the users after that will get the certificate error warning, until you supply a new certificate.
backup,.. thats up to you.. never really a bad option, but if the current cert is bad, then you would restore to that state.
Given your previous post (https://jazz.net/forum/questions/200452/how-to-request-and-configure-an-ssl-cerificate-for-clm-501-running-apache-tomcat), you're using a distributed environment with CA-signed certificates. What I don't understand is that why the web browser still needs to handle "exceptions"? It seems that your current environment is not well configured to begin with. So as Sam said, the quality of the backup is questionable.
If you are taking backup of configuration files (such as trust.p12 and key.p12), you will need to do it in synchronization across all applications, otherwise the restoration may not give you back a working state. That's because each application server also act as a "client" to other servers, and has to be handle the "exception"(?).
If you are taking VM snapshots as backups, it may be easier (not that I recommend this method).
The practice should be quite straightforward actually. Since you have a CA (I believe it's an internal one), the CA (signer) certificate should be imported into the trust store on every single machine and application server. Then when you use a (personal) certificate signed by that CA, it will be trusted automatically and there should be no "exception" to handle at all.
If you are taking backup of configuration files (such as trust.p12 and key.p12), you will need to do it in synchronization across all applications, otherwise the restoration may not give you back a working state. That's because each application server also act as a "client" to other servers, and has to be handle the "exception"(?).
If you are taking VM snapshots as backups, it may be easier (not that I recommend this method).
The practice should be quite straightforward actually. Since you have a CA (I believe it's an internal one), the CA (signer) certificate should be imported into the trust store on every single machine and application server. Then when you use a (personal) certificate signed by that CA, it will be trusted automatically and there should be no "exception" to handle at all.