Well it’s been a year since my blog posting Step-By-Step Guide to Custom Domains with Multitenant Multi-Target Applications and the wildcard domain certificate for *.conciletime.com has expired. I could have replaced it before it expired, but I wanted to show what happens when you neglect renewing your custom domain certificates.
Indeed when we look at the certificate details, it’s expired.
If you are setting up a custom domain in SAP Cloud Foundry for the first time, please follow Step-By-Step Guide to Custom Domains with Multitenant Multi-Target Applications as this blog post will show additional steps that are required for the renewal use-case.
Generate a new private key and new CSR
Now you need to create a new domain key that is named differently from the one you created the first time. Both will exist in Cloud Foundry to they need to be unique. This is an encryption key that will be used to create your Certificate Signing Request(CSR). You’ll need to supply some details and list the domain names you’ll use with the resultant certificate. “C=US, ST=State, O=ConcileTime, CN=*.conciletime.com” Be sure that the CN value contains an asterix(*) or the certificate won’t work for all possible hostnames generated for your domain name.
cf custom-domain-create-key ComodoConcileTimeKey2020 "C=US, ST=State, O=ConcileTime, CN=*.conciletime.com" conciletime.com --verbose
Download the CSR
Now get the new CSR with the following command. Save the certificate text somewhere safe with a new name as you’ll need it later.
cf custom-domain-get-csr ComodoConcileTimeKey2020 comodo_conciletime_csr_2020.pem
Send the new CSR to get signed
Purchasing another wildcard SSL certificate.
I’m going to assume that you will be gong back to the certificate provider you used to purchase the domain certificate originally. A detailed section on the process is provided in the first blog post.
You’ll have to pay again for another year or more to continue.
Follow your certificate provider’s instructions for renewing a domain certificate. I’m going to be again using Comodo for illustration, but your screens will look different.
Since we selected CNAME Auth in step 3 above, we need to go to our DNS provider and create a CNAME record as described.
You may have to wait a bit for the DNS change to trickle through the Internet. Then you can test to be sure the changes took.
dig _xxxxxxxxxxxxxxxxxxxxxxxdxda30aaa.conciletime.com
When you get confirmation that your certificate has been generated properly, download it and unzip it. Here’s what the folder looks like.
comodo_conciletime_crt_2020.zip
$ tree
.
├── ! PRIVATE KEY INFO !.txt
├── CER - CRT Files
│ ├── AAACertificateServices.crt
│ ├── My_CA_Bundle.ca-bundle
│ ├── STAR_conciletime_com.crt
│ ├── SectigoRSADomainValidationSecureServerCA.crt
│ └── USERTrustRSAAAACA.crt
├── Choosing the Right Files to Install.txt
├── PKCS7 File
│ └── PKCS7.p7b
└── Plain Text Files
├── AAACertificateServices.txt
├── CA Bundle.txt
├── STAR_conciletime_com.txt
├── SectigoRSADomainValidationSecureServerCA.txt
└── USERTrustRSAAAACA.txt
3 directories, 13 files
You’ll need to concatenate these files together before uploading them.
cat comodo_conciletime_crt_2020/CER - CRT Files/AAACertificateServices.crt > comodo-conciletime-certchain_2020.pem
cat comodo_conciletime_crt_2020/CER - CRT Files/USERTrustRSAAAACA.crt >> comodo-conciletime-certchain_2020.pem
cat comodo_conciletime_crt_2020/CER - CRT Files/SectigoRSADomainValidationSecureServerCA.crt >> comodo-conciletime-certchain_2020.pem
cat comodo_conciletime_crt_2020/CER - CRT Files/STAR_conciletime_com.crt >> comodo-conciletime-certchain_2020.pem
Upload certificate
Use the cf upload command to upload the new composite certificate bundle you just created.
cf custom-domain-upload-certificate-chain ComodoConcileTimeKey2020 comodo-conciletime-certchain_2020.pem
Check the domain status
Use the cf custom-domain-list command to check the status of your current and new certificates.
cf custom-domain-list
Command: custom-domain-list
Organisation: ConcileTime (4d641712-8d17-45c6-adca-65c4f61e4202)
API Endpoint: https://api.cf.us10.hana.ondemand.com
Default API Server: https://custom-domain-certificates-api.cf.us10.hana.ondemand.com
Activated Certificates: 1
Activated Certificates Quota: 2
Domain Name: conciletime.com
Key: ComodoConcileTimeKey
Key Status: created, certificate chain uploaded
Certificate Status: EXPIRED
Client Authentication: disabled
Custom Domain Status: activated
Key: ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status: valid
Client Authentication: disabled
Custom Domain Status: deactivated
Domain Name: *.conciletime.com
Key: ComodoConcileTimeKey
Key Status: created, certificate chain uploaded
Certificate Status: EXPIRED
Client Authentication: disabled
Custom Domain Status: activated
Key: ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status: valid
Client Authentication: disabled
Custom Domain Status: deactivated
Deactivate the existing certificate
Deactivate all the certificates with the following command.
cf custom-domain-deactivate conciletime.com --verbose
Double check the status with cf custom-domain-list.
You have to also do it for the wildcard domain.
cf custom-domain-deactivate *.conciletime.com --verbose
Again, double check the status with cf custom-domain-list.
Activate the new certificate
Now we can activate the new certificate in the domain and wildcard domain.
cf custom-domain-activate ComodoConcileTimeKey2020 conciletime.com --verbose
cf custom-domain-activate ComodoConcileTimeKey2020 *.conciletime.com --verbose
Again, double check the status with cf custom-domain-list.
You should see something similar to this.
Domain Name: conciletime.com
Key: ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status: valid
Client Authentication: disabled
Custom Domain Status: activated
Domain Name: *.conciletime.com
Key: ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status: valid
Client Authentication: disabled
Custom Domain Status: activated
cf restage concile_web_v0
cf restage concile_utl_v0
...
Test that the certificate is being served properly
Go into your browser and enter the url of one of your apps that uses your custom domain.
You should see a nice happy lock symbol next to the location in the browser.
Also when you look at the certificate details, it should show that it’s valid.
Wow, this post got quite long again even for just renewing a certificate. If you’re able to hang with me, congratulations! Let me know how your efforts at using custom domains in your apps or leave me a question below.
-Andrew
Nice article thanks for Sharing.
Hi Andrew,
Thanks for beautiful blog, it is very easy understand.
I successfully renewed the certificate and I can see the validity of my new certificate in cloud foundry subacccount level.
I restaged and restarted the application in the cloud level but still when I am trying to access the url, the old certificate validity is showing, am I missing something.
https://help.sap.com/viewer/74af813c7ee2457cb5eddca0cc70a0c1/Cloud/en-US/721233b8efcf401094778a78f1bf2a66.html
As per the sap documentation, looks like we need to wait for 1 day at least the change to reflect. I will check and update.
After 2 hours, the new certificate validity is reflected. Thanks for your help Andrew, Both your blogs helped us to setup the custom domain in our environment and also renewing in simple way.