25May, 2025
Why Won't You Just Die? How to Update a SOLR Certificate and Deal With Stuck Services
In this example I'm replacing a small QA environment's SOLR 8.11.2 certificate. You'll see that I had an issue with the one provided to me, so I just wound up making a new one as it's only available locally and the system is not publicly accessible.
Replacing Your SOLR Certificate
Ok let's start with the easy part, or so I thought. In this lower environment I didn't have to worry about uptime, so I just stopped my service. This is just habit and I'm not sure it's needed.
net stop qasolr-8.11.2
The next step was to open c:\solr\solr-8.11.2\server\etc\ and drop the new .pfx file in there.
Finally (yes, it's this fast), I opened the soly.in.cmd file in c:\solr\solr-8.11.2\bin\, and scrolled way to the bottom to edit the important bits, replacing:
set SOLR_SSL_KEY_STORE=etc/solr-ssl.keystore.p12 set SOLR_SSL_KEY_STORE_PASSWORD=secret set SOLR_SSL_TRUST_STORE=etc/solr-ssl.keystore.p12 set SOLR_SSL_TRUST_STORE_PASSWORD=secret
with
set SOLR_SSL_KEY_STORE=C:\Solr\qasolr-8.11.2\server\etc\qa-solr-cert.pfx set SOLR_SSL_KEY_STORE_PASSWORD=secret set SOLR_SSL_KEY_STORE_TYPE=PKCS12 set SOLR_SSL_TRUST_STORE=C:\Solr\qasolr-8.11.2\server\etc\qa-solr-cert.pfx set SOLR_SSL_TRUST_STORE_PASSWORD=secret set SOLR_SSL_TRUST_STORE_TYPE=PKCS12
The cert's password is “secret”, if that wasn't obvious. It'll be important in a minute.
After you've saved the file, you can restart SOLR with:
net start qasolr-8.11.2
Once started I checked https://qa.mydomain.ca:8983/solr/#/, but the certificate was invalid. At this point stopping the SOLR service to edit settings wasn't happening. We got a problem.
How to Get the Service to Stop
One sure fire way to stop a service is to use taskkill, but you need the PID of the instance first.
sc queryex qasolr-8.11.2

Next:
taskkill /f /pid 2192
Great, we can continue right? Wrong. When I tried to start SOLR again I received the following error:
The qasolr-8.11.2 service terminated with the following service-specific error:
Incorrect function.
It turns out killing java.exe when you're this stuck is needed as well:
taskkill /im java.exe /f
Fine, I'll Do It Myself
I tried several times to figure out what's wrong with the certificate I was provided, but in the end I just made one myself, remembering to keep the password as secret (no special characters allowed):
New-SelfSignedCertificate -Subject "QA Certificate" -DnsName "*.mydomain.ca" -CertStoreLocation "cert:\LocalMachine\My" -KeyAlgorithm RSA -KeyLength 2048 -KeyExportPolicy Exportable -NotAfter (Get-Date).AddYears(10)
Once generated this new certificate should be imported to the trusted store and replace the pfx file above. It did the trick and my browser test had a valid https connection!