Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Spotfire Server: How to renew the Spotfire SSL certificate

Sukesh Nischal
  • Updated

The certificate used for client https communications will expire after 12 months. The following procedure decribes how to renew the certificate.

Renewing PFX files

If your spotfire server is using a PFX file (preferred method), then the configuration in the server.xml should be similar to that below.

 

<Certificate certificateKeystoreFile="./certs/spotfire.pfx" 
             certificateKeystorePassword="changeit"
             certificateKeystoreType="pkcs12"/>

 

To renew the certificate, simply replace the PFX file with the new file once it has been acquired from your certificate vendor. Remember that if you have changed certificate vendors you may additionally need to update the cacerts file with new root and intermediate certificates.

Renewing a Java keystore certificate

If your spotfire server is using a Java keystore, then the configuration in the server.xml should be similar to the folllowing:

 

<Certificate certificateKeystoreFile="./certs/spotfire-server.jks"
             certificateKeystorePassword="changeit"
             certificateKeystoreType="jks"
             certificateKeyAlias="spotfire" />


To renew the certificate:

1. Generate a new CSR file from the same keystore.

Note that the same alias name is being used when doing this. The -ext argument is for recording SAN's (Subject Alternative Name). You must have at least one SAN of the primary URL host for Spotfire.
So if the spotfire URL is https://spotfire.somedomain.com include spotfire.somedomain.com as a SAN.

keytool -certreq -alias spotfire -keystore keystore.jks -file spotfire.csr
-ext SAN=dns:spotfire.example.com,dns:spotfire1.example.com,ip:10.4.1.88

 

2. Submit the CSR to your certificate authority for signing.

3. Import any CA or intermediary certificates issued by your certificate vendor into the global truststore.

The -alias parameter is used to identify the certificate, so a sensible name should be chosen.

keytool -import -file CACert.pem -alias MyCACert 
             -keystore <INSTALLATION ROOT>/jdk/jre/lib/security/cacerts
             -trustcacerts -storepass changeit


4. Once you have a PEM format certificate back from your authority import it into your keystore.
Use the same alias name as before

keytool -import -trustcacerts -alias spotfire -file spotfire.pem -keystore keystore.jks


Note: If your certificate vendor has not issued a PEM format certificate but only issued PKCS12 format certificate (.pfx or .p12 files), then it would be better to abandon using Java keystores completely. Use the same configuration as section "Using PFX files" above.

Please refer to the following KB article for a more complete guide to implenting SSL certificates in Spotfire.



 

 

Related articles