Change a Certificate

Creating or updating a local SSL certificate

If you assembled a certificate and key pair using the NEXUSe2e CSR process, you can skip this section, since you certificate is already present in the Certificate Staging area.

Otherwise, import the certificate into that area. Navigate to NEXUSe2e > Server Configuration > Certificates > Certificate Staging and select Import Certificate.

Select the certificate file to import and supply the necessary password. Bear in mind that the certificate needs to include a private key and has to be in PKCS#12 format, typically indicated by a .p12 or .pfx file extension.

Inform your collaboration partners

Once your certificate has been imported and the certificate update is scheduled, you need to inform your collaboration partners so they can configure your new certificate.

Go to NEXUSe2e > Server Configuration > Certificates > Certificate Staging, select your new certificate and click on Export this Certificate.

Select ZIP file from the Elements section and leave all other options unchanged. Click on Save to store the exported file on your computer.

Send the ZIP file to your collaboration partners.

Switching to the new certificate

When the scheduled certificate switching date has come, you can promote it as an update to your existing certificate or as a new certificate. Promoting it as a new certificate will have no effect on existing partner connections, whereas replacing the certificate will also update all partner connections that are using the certificate to be replaced.

Go to NEXUSe2e > Server Configuration > Certificates > Certificate Staging, select your new certificate and click on it to show its details.

On the detail screen, select your local server ID from the first drop-down and replacing or as new certificate from the second drop-down menu. Note that you will be shown the name of your current certificate if you want to replace it. Take extra care to double-check that you are replacing the correct one.

Finally, click Promote Certificate and apply the configuration.

Bear in mind that you still have to replace the certificate of the underlying Servlet Container, as given below for Apache Tomcat.

Securing the server

In addition to configuring the NEXUSe2e application with the new certificate, the underlying Web application server needs to be configured with it as well, because it is responsible for handling inbound requests.

To do this, go to the Tomcat home directory, then open file server.xml from subdirectory conf in a text editor. Find the SSL connector (port *443). It looks something like this:

<Connector port="443" ...
  keystoreFile="/path/to/my/cert.p12"
  keystoreType="PKCS12"
  keystorePass="password"
  .../>

Now, replace the keystore file in the file system with your new test certificate PKCS#12 file or put the file somewhere else and make sure the keystoreFile attribute points to the correct path.

Change the keystorePass attribute to contain the correct password for the .p12 file and save the server.xml file. Finally, restart the NEXUSe2e service to apply the new certificate configuration.

For more details on this configuration process, refer to the Tomcat manual located at http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html.