This document addresses two problems that may arise while dealing with SSL certificates on SWS.
How to delete a certificate from keystore
Problem 1:
When I upload a new certificate to the keystore from C&M, I'm still getting the old one while accessing from browser.
Problem Description:
When you upload a new SSL certificate to the Launch Server which is already running in SSL with a valid certificate in keystore, you might still end up seeing the old certificate in client browser while accessing the portal. This is because, you have both the Alias name and private key in the keystore and by default any webserver will pick up the certificate based on the Alias name in ascending order. Say for e.g, for the first time you generate a CSR from C&M with alias name as software and bought certificate from verisign. Later you generate a new CSR with alias name as testing and bought certificate from Thawte (or Verisign) and uploaded it to C&M and restarted service. When you access LS you will still see the certificate from Verisign (the one uploaded first) because the alias name software was still taken processed.
Solution 1:
As a simple workaround, while generating the CSR give the Alias name so that it comes and processed first. In this case, if I give alias name as Abcd for second certificate (Ex. the running private key is with alias name software) then while launching, LS will process the new certificate and popped up to user. So workaround is to give the alias name which starts first when sorted in ascending order.
Solution 2:
Suppose you are an administrator and don't want to pollute your keystore and always want only one private key in there use this solution. In that case, you need to delete the private key stored in the keystore using below command. By default all the certificates generated via SWS Console were stored in stscerts file which is our keystore file.
Goto command prompt and navigate to C:\Symantec\Workspace Streaming\Server\common\jre\lib\bin folder. From there type:
keytool.exe -delete -alias software -keystore "<installdir>\Server\common\jre\lib\security\stscerts"
This will delete the first certificate stored in keystore with alias software. Now upload the second certificate or if you have already uploaded the new certificate, just restart the LS service alone. Now accessing the LS should process the second certificate. Restarting the LS alone is sufficient. Suppose if you still have the old certificate even after deleting from keystore, try restarting all the services. This will always clean up everything and gives you proper valid certificate.
How to install root and intermediate certificate using command line.
Problem 2: When I upload a SSL certificate for Portal in C&M, getting an error message stating "Failed to find chain of reply"
Problem Description:
While generating a CSR for Launch server from console, a private key and CSR information was stored in a file called stscerts placed under "C:\Symantec\Workspace Streaming\Server\common\jre\lib\security" folder. For SWS, stscerts acts as the keystore file. So when you upload the SSL certificate you got from a vendor, say for e.g, Verisign then you need to upload the root and intermediate certificate to the keystore, before uploading your SSL certificate to overcome this problem
Solution:
When you create a CSR for a LaunchServer from C&M, it was stored in stscerts file which acts as keystore file for SWS. [C:\Symantec\Workspace Streaming\Server\common\jre\lib\security\stscerts]. You need to upload the root certificate and intermediate certificate to this keystore before uploading your SSL certificate generated for that Launch server. This root and intermediate certificates can be uploaded only via command line option provided by keytool and not through C&M.
Below is the command to upload the root and intermediate certificate of Verisign. After importing both the certificates to the keystore successfully, you can upload your SSL certificate created for LS from C&M.
Command to upload root certificate in default keystore STSCERTS
keytool -import -trustcacerts -alias root -file d:\versign_trial_root.crt -keystore "C:\Symantec\Workspace Streaming\Server\common\jre\lib\security\stscerts"
Command to upload intermediate certificate in default keystore STSCERTS
keytool -import -trustcacerts -alias IntermediateTrial -file d:\Verisign_intermediate_trial.crt -keystore "C:\Symantec\Workspace Streaming\Server\common\jre\lib\security\stscerts"