How to update your taxware.net SSL certificate (Java)

This article is for SOAP customers who are still using the taxware.net endpoints.

Before you begin

  • Make sure that the Java Web Services Client exists and that the smoke test is working properly.
  • Make sure that JAVA_HOME and PATH environmental variables are set with appropriate values in the command prompt where the keytool command is executed. Use the syntax below to set up the variables:
    • Windows
      • set JAVA_HOME='Java Home Path' (Example: set JAVA_HOME=D:\jdk1.7.0_79)
    • Non-Windows
      • export JAVA_HOME='Java Home Path' (Example: export JAVA_HOME=/home/TaxwareEnterprise/jdk1.7.0_79)
      • export PATH=$JAVA_HOME/bin:$PATH
  • Download the new Sovos Server SSL certificate from the Sovos Portal and rename the certificate from serverssl2025taxware.cer to serverssl.crt.
  • Make sure you have the keystore password for the current Web Services Client.

 

Extract the intermediate certificate

  1. Open the certificate that you downloaded from the Sovos Portal. If you use Windows, you can double click on the certificate to open it.
  2. Click on the Certification Path tab.



  3. Click on Go Daddy Secure Certificate Authority - G2, then click View Certificate. This is the intermediate certificate.



  4. The intermediate certificate will open. Click on the Details tab.



  5. Click Copy to File... to launch the Certificate Export Wizard.



  6. In the Certificate Export Wizard, click Next.



  7. Select Base-64 encoded X.509 (.CER), then click Next.



  8. Enter SovosIntermediateCert in the File name field, then click Next.



  9. Make sure that the file will be saved in the Certs folder in the adapter directory. Click Finish to save the file.

 

Add the new Server SSL certificate

  1. Back up the existing Web Services Client directories, including sub-folders. This will allow you to roll back in case something happens while updating the certificate.
  2. Place the new Server SSL certificate into <Web Services Client>\certs.
  3. Run the keytool command from <Web Services Client> to add the Server SSL certificate for the new environment to serverssl keystore. This command should be executed in a single line:
    • Windows: keytool -import -trustcacerts -alias SOVOS2024 -file certs\Serverssl.crt -keystore keystores\serverssl.jks
    • Non-Windows: keytool -import -trustcacerts -alias SOVOS2024 -file certs/Serverssl.crt -keystore keystores/serverssl.jks
  4. When prompted, enter the following information.
    • Enter keystore password: When Certificate Management Utility is used to create a signing request, enter the certificate store password that was entered while creating the certificate signing request.
    • Trust this certificate? [no]: Enter yes.

 

Add the intermediate certificate

  1. Place the new intermediate certificate into <Web Services Client>\certs.
  2. Run the keytool command from <Web Services Client> to add the Server SSL certificate for the new environment to serverssl keystore. This command should be executed in a single line:
    • Windows: keytool -import -trustcacerts -alias SOVOSINT -file certs\SovosIntermediateCert.cer -keystore keystores\serverssl.jks
    • Non-Windows: keytool -import -trustcacerts -alias SOVOSINT -file certs/SovosIntermediateCert.cer -keystore keystores/serverssl.jks
  3. When prompted, enter the following information.
    • Enter keystore password: When Certificate Management Utility is used to create a signing request, enter the certificate store password that was entered while creating the certificate signing request.
    • Trust this certificate? [no]: Enter yes.
  4. Run the keytool command from the Web Services Client root directory to check that the new serverssl certificate exists in keystore:
    • Windows: keytool -list -v -keystore keystores\serverssl.jks
    • Non-Windows: keytool -list -v -keystore keystores/serverssl.jks
  5. When prompted, enter the keystore password.
      • When Certificate Management Utility is used to create a signing request, enter the certificate store password that was entered while creating the certificate signing request.
      • Otherwise, enter the password used for keystore creation.
    The command output should list four certificates:
    • One for the current environment
    • One for the new Sovos environment with the new alias name
    • One for the intermediate certificate
    • A mykey entry
  6. Run the smoke test to make sure you're able to connect to Sovos' servers.

 

Delete the old SSL certificate and rename the new certificate

  1. Run the keytool command from <Web Services Client> to retrieve existing alias names in the current environment:
    • Windows: keytool -list -v -keystore keystores\serverssl.jks
    • Non-Windows: keytool -list -v -keystore keystores/serverssl.jks
  2. Run the keytool command from <Web Services Client> to remove the server SSL certificate from serverssl keystore, replacing <Old Alias> with the alias name you retrieved in the previous step. This command should be executed in a single line:
    • Windows: keytool -delete -v -alias <Old Alias> -keystore keystores\serverssl.jks
    • Non-Windows: keytool -delete -v -alias <Old Alias> -keystore keystores/serverssl.jks
  3. In <Web Services Client>\certs, note the name of the original certificate file (e.g. serverssl.crt).
  4. Delete the original certificate file, then rename the new certificate file to match the old certificate file name. For example, if the original certificate file was named serverssl.crt, delete serverssl.crt and then rename the new certificate file serverssl.crt. <Web Services Client> should now only contain one certificate.
  5. Run the smoke test to make sure you're able to connect to Sovos' servers.

 

Run the smoke test

Run runsmoketest.sh or runsmoketest.bat in the Web Services Client directory to check if you are connected to the SOAP server. Check the smoke test log file (Soapclient_error.log) to see if there are errors.

The following image is an example of a successful smoke test:

 

Restart adapter services

After you've removed the old alias entry and run a successful smoke test, you must restart your adapter services.

 

Additional steps for multiple adapters

If you have multiple adapters that use the same keystore files (clones), you can follow these steps to speed up the upgrade process and minimize downtime requirements.

  1. Back up the existing Web Services Client directories, including sub-folders. This will allow you to roll back in case something happens while updating the certificate.
  2. Copy the Certs and Keystores directories from an updated adapter.
  3. Paste the Certs and Keystores directories into the non-updated adapter and overwrite the existing files.
  4. Run a smoke test.
  5. Restart the service. If you have multiple services, to keep your services available during the update process, you can update each adapter service one at a time and restart the service.
  6. Repeat steps 1-5 until complete.