/
Update SSL Certificate for TCM

Update SSL Certificate for TCM

Owned by Knowledge Assistant
Last updated: Jan 07, 2025
2 min read



Description of Issue

SSL certificate for TCM has expired or needs to be updated



Context

  • Apache Tomcat

  • SSL Certificate

  • Tyler Content Manager (TCM)

  • TCM Certificate



Cause

Existing SSL certificate set to expire soon or has already expired



Resolution

  • Before starting, you will need to obtain a copy of the certificate as a .PFX along with the password

  • The Certificate Utility works best when the .PFX is placed on the desktop of the TCM server with a simple name such as cert20xx.pfx

  • The .PFX file name and the directory path cannot have any spaces

    • A common path is a non-OneDrive Desktop location

  • Certificate passwords must:

    • Be at least 8 digits long

    • Cannot contain any special characters


  1. Connect to the TCM server with an administrative account such as tylerservice

  2. Place copy of the new certificate in .PFX format on the desktop

  3. Open File Explorer

  4. Navigate to the Apache Certs directory (Ex: D:\ApacheCerts)

  5. Clean up old files in this directory (previous .pfx files, files with a .old extension, etc.)

  6. Rename the existing certificate file name and add .old to end of the file name

    1. Ex: Cert.pem.old

  7. Use the TCM Cert Utility to convert the .PFX certificate*

    1. Navigate to D:\Tyler Installs\CertUtil

    2. Right click CertUtility.exe > Run as administrator

      1. Cert Path: Current location of .PFX

        1. Click Browse

        2. Select file

        3. Click Open

        4. Note: The current path of the .PFX file must not contain any spaces

      2. Cert Destination: ApacheCerts folder

        1. Ex: D:\ApacheCerts

        2. Click Browse

        3. Expand This PC

        4. Expand applicable drive

        5. Click ApacheCerts folder

        6. Click OK

      3. Cert Password: type in certificate password

      4. Click Create PEM

  8. Navigate back to D:\ApacheCerts and rename the new .pem to match the previous cert’s name if needed

    1. For instance: SSLCert.pem

    2. The certificate name can be verified in the server.xml file located in <DRV>:\Program Files\Apache Software Foundation\XXXX\Conf

  9. Open Windows Services and restart the Apache service(s)

    1. Please note: It may take a few minutes for Apache to fully start back up. If you receive a 503 error trying to access TCM, please wait a few more minutes and try again. 

  10. Open a browser and navigate to the TCM URL to verify that the certificate is now updated

  11. Test launching the desktop client

    1. If a PKIK error is received, please contact Tyler Systems Management Support or log a case via the Online Support Client Portal



Additional Information

*If you do not have the CertUtility installed on your TCM server, please contact Tyler Systems Management Support or log a case via the Online Support Client Portal

TCM Full Client certificate error using JLink - PKIX path building failed