How to Change Access Point TLS Certificate?

By default, the Access Point has a self-signed TLS certificate that's automatically generated during the Access Point installation process. Changing the certificate and/or recreating the private key is not possible through the Access Point UI. Instead, both operations require shell access to the Access Point.

Step-by-step guide

The Access Point TLS certificate can be changed by following the steps described below.

1. First, take backup copy of the TLS keystore file:

   cp -a /etc/harmony-ap/tls-keystore.jks /etc/harmony-ap/tls-keystore.jks.bak

2. Generate a new private key and certificate signing request (CSR) by running the command:

   openssl req -x509 -newkey rsa:3072 -keyout harmony-ap-new.key -out harmony-ap-new.crt -days 365 -nodes

3. Enter your CSR details.

4. Locate and open the newly created CSR ("/etc/harmony-ap/harmony-ap-new.crt") in a text editor and copy all the text including:

   /etc/harmony-ap/harmony-ap-new.crt

   -----BEGIN CERTIFICATE REQUEST-----
   And
   -----END CERTIFICATE REQUEST-----

5. Paste the contents of the CSR file in a local text file on your workstation.
6. Purchase TSL/SSL certficate from a trusted Certificate Authority (CA) using the CSR file.
7. Once the CA has issued the certificate, rename the certificate file to "harmony-ap-new.crt", and copy it to "/etc/harmony-ap/" directory on the Access Point.

8. Create a PKCS#12 container ("/etc/harmony-ap/harmony-ap.p12") that includes the new key and certificate, and the certificate chain. Write down the container password ("<container_password>"). Replace the "<cert_alias>" placeholder with your preferred alias.

   openssl pkcs12 -export -in harmony-ap-new.crt -inkey harmony-ap-new.key -out harmony-ap.p12 -name <cert_alias> -CAfile ca_bundle.crt -caname cacert

9. Check the password of the TLS keystore file from the "/etc/harmony-ap/tomcat-conf/server.xml" configuration file. The password is located in the "Connector" element's "keystorePass" property. Write down the password ("<tls_keystore_password>").

10. Import the PKCS#12 container into the Access Point TLS keystore.

    keytool -J-Dkeystore.pkcs12.legacy -importkeystore -deststorepass <tls_keystore_password> -destkeypass <tls_keystore_password> -destkeystore /etc/harmony-ap/tls-keystore.jks -srckeystore /etc/harmony-ap/harmony-ap.p12 -srcstoretype PKCS12 -srcstorepass <container_password> -alias <cert_alias>

11. Update the file permissions.

    chown -R harmony-ap:harmony-ap /etc/harmony-ap
    chmod -R 0751 /etc/harmony-ap

12. Restart the "harmony-ap" service.

    systemctl restart harmony-ap

13. Check that the log file ("/var/log/harmony-ap/catalina.out") doesn't contain any TLS related errors.
14. In case something goes wrong, restore the original files, and restart the "harmony-ap" service.

Related articles

• Page:
  How to Enable Logging of Full Messages for Debugging?
• Page:
  How to Configure TLS Authentication with the Web Service Plugin?
• Page:
  Harmony eDelivery Access - Access Point v2.2.2 Release Notes
• Page:
  Harmony eDelivery Access - Access Point v2.2.0 Release Notes
• Page:
  How to Change Access Point TLS Certificate (version 2.2.0 and later)?