Skip to Content
Technical Articles

Renewing Your Custom Domain Certificate For Multi-Target Applications

Well it’s been a year since my blog posting Step-By-Step Guide to Custom Domains with Multitenant Multi-Target Applications and the wildcard domain certificate for *.conciletime.com has expired.  I could have replaced it before it expired, but I wanted to show what happens when you neglect renewing your custom domain certificates.

Indeed when we look at the certificate details, it’s expired.

If you are setting up a custom domain in SAP Cloud Foundry for the first time, please follow Step-By-Step Guide to Custom Domains with Multitenant Multi-Target Applications as this blog post will show additional steps that are required for the renewal use-case.

Generate a new private key and new CSR

 

Now you need to create a new domain key that is named differently from the one you created the first time.  Both will exist in Cloud Foundry to they need to be unique.  This is an encryption key that will be used to create your Certificate Signing Request(CSR).  You’ll need to supply some details and list the domain names you’ll use with the resultant certificate.  “C=US, ST=State, O=ConcileTime, CN=*.conciletime.com”  Be sure that the CN value contains an asterix(*) or the certificate won’t work for all possible hostnames generated for your domain name.

cf custom-domain-create-key ComodoConcileTimeKey2020 "C=US, ST=State, O=ConcileTime, CN=*.conciletime.com" conciletime.com --verbose

Download the CSR

Now get the new CSR with the following command. Save the certificate text somewhere safe with a new name as you’ll need it later.

cf custom-domain-get-csr ComodoConcileTimeKey2020 comodo_conciletime_csr_2020.pem

Send the new CSR to get signed

 

Purchasing another wildcard SSL certificate.

I’m going to assume that you will be gong back to the certificate provider you used to purchase the domain certificate originally.  A detailed section on the process is provided in the first blog post.

You’ll have to pay again for another year or more to continue.

Follow your certificate provider’s instructions for renewing a domain certificate.  I’m going to be again using Comodo for illustration, but your screens will look different.

From the cf custom-domain-get-csr command above, cut and paste the certificate signing request in the text area of step 4.

Since we selected CNAME Auth in step 3 above, we need to go to our DNS provider and create a CNAME record as described.

You may have to wait a bit for the DNS change to trickle through the Internet.  Then you can test to be sure the changes took.

dig _xxxxxxxxxxxxxxxxxxxxxxxdxda30aaa.conciletime.com

When you get confirmation that your certificate has been generated properly, download it and unzip it.  Here’s what the folder looks like.

comodo_conciletime_crt_2020.zip

$ tree
.
├── !\ PRIVATE\ KEY\ INFO\ !.txt
├── CER\ -\ CRT\ Files
│   ├── AAACertificateServices.crt
│   ├── My_CA_Bundle.ca-bundle
│   ├── STAR_conciletime_com.crt
│   ├── SectigoRSADomainValidationSecureServerCA.crt
│   └── USERTrustRSAAAACA.crt
├── Choosing\ the\ Right\ Files\ to\ Install.txt
├── PKCS7\ File
│   └── PKCS7.p7b
└── Plain\ Text\ Files
    ├── AAACertificateServices.txt
    ├── CA\ Bundle.txt
    ├── STAR_conciletime_com.txt
    ├── SectigoRSADomainValidationSecureServerCA.txt
    └── USERTrustRSAAAACA.txt
3 directories, 13 files

You’ll need to concatenate these files together before uploading them.

cat comodo_conciletime_crt_2020/CER\ -\ CRT\ Files/AAACertificateServices.crt > comodo-conciletime-certchain_2020.pem
cat comodo_conciletime_crt_2020/CER\ -\ CRT\ Files/USERTrustRSAAAACA.crt >> comodo-conciletime-certchain_2020.pem
cat comodo_conciletime_crt_2020/CER\ -\ CRT\ Files/SectigoRSADomainValidationSecureServerCA.crt >> comodo-conciletime-certchain_2020.pem
cat comodo_conciletime_crt_2020/CER\ -\ CRT\ Files/STAR_conciletime_com.crt >> comodo-conciletime-certchain_2020.pem

Upload certificate

 

Use the cf upload command to upload the new composite certificate bundle you just created.

cf custom-domain-upload-certificate-chain ComodoConcileTimeKey2020 comodo-conciletime-certchain_2020.pem

Check the domain status

 

Use the cf custom-domain-list command to check the status of your current and new certificates.

cf custom-domain-list

Command: custom-domain-list
Organisation:  ConcileTime  (4d641712-8d17-45c6-adca-65c4f61e4202)
API Endpoint:  https://api.cf.us10.hana.ondemand.com
Default API Server:  https://custom-domain-certificates-api.cf.us10.hana.ondemand.com
Activated Certificates: 1
Activated Certificates Quota: 2

Domain Name:  conciletime.com

Key:  ComodoConcileTimeKey
Key Status: created, certificate chain uploaded
Certificate Status:  EXPIRED
Client Authentication:  disabled
Custom Domain Status:  activated

Key:  ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status:  valid
Client Authentication:  disabled
Custom Domain Status:  deactivated


Domain Name:  *.conciletime.com

Key:  ComodoConcileTimeKey
Key Status: created, certificate chain uploaded
Certificate Status:  EXPIRED
Client Authentication:  disabled
Custom Domain Status:  activated

Key:  ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status:  valid
Client Authentication:  disabled
Custom Domain Status:  deactivated

Deactivate the existing certificate

 

Deactivate all the certificates with the following command.

cf custom-domain-deactivate conciletime.com --verbose

Double check the status with cf custom-domain-list.

You have to also do it for the wildcard domain.

cf custom-domain-deactivate *.conciletime.com --verbose

Again, double check the status with cf custom-domain-list.

 

Activate the new certificate

 

Now we can activate the new certificate in the domain and wildcard domain.

cf custom-domain-activate  ComodoConcileTimeKey2020 conciletime.com --verbose
cf custom-domain-activate  ComodoConcileTimeKey2020 *.conciletime.com --verbose

Again, double check the status with cf custom-domain-list.

You should see something similar to this.

Domain Name:  conciletime.com

Key:  ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status:  valid
Client Authentication:  disabled
Custom Domain Status:  activated

Domain Name:  *.conciletime.com
Key:  ComodoConcileTimeKey2020
Key Status: created, certificate chain uploaded
Certificate Status:  valid
Client Authentication:  disabled
Custom Domain Status:  activated
IMPORTANT! Restage all the apps to pick up the new certificate!
cf restage concile_web_v0
cf restage concile_utl_v0
...

Test that the certificate is being served properly

 

Go into your browser and enter the url of one of your apps that uses your custom domain.

You should see a nice happy lock symbol next to the location in the browser.

Also when you look at the certificate details, it should show that it’s valid.

 

Wow, this post got quite long again even for just renewing a certificate.  If you’re able to hang with me, congratulations!  Let me know how your efforts at using custom domains in your apps or leave me a question below.

-Andrew

Partners: If you have a question, click here to ask it in the SAP Community . Be sure to tag it with Partnership and leave your company name in the question so that we can better assist you.

 

1 Comment
You must be Logged on to comment or reply to a post.