diff --git a/HIRS_AttestationCA/build.gradle b/HIRS_AttestationCA/build.gradle
index c6f20171..c0245393 100644
--- a/HIRS_AttestationCA/build.gradle
+++ b/HIRS_AttestationCA/build.gradle
@@ -41,7 +41,7 @@ dependencies {
     implementation libs.minimal.json
     implementation 'org.apache.logging.log4j:log4j-core:2.19.0'
     implementation 'org.apache.logging.log4j:log4j-api:2.19.0'
-
+    
     // spring management
     compileOnly libs.lombok
     implementation libs.lombok
diff --git a/HIRS_AttestationCAPortal/build.gradle b/HIRS_AttestationCAPortal/build.gradle
index 78d9a1dd..78672323 100644
--- a/HIRS_AttestationCAPortal/build.gradle
+++ b/HIRS_AttestationCAPortal/build.gradle
@@ -52,7 +52,7 @@ dependencies {
     implementation 'org.apache.tomcat.embed:tomcat-embed-jasper:10.1.5'
 
     compileOnly 'org.projectlombok:lombok'
-    runtimeOnly 'org.mariadb.jdbc:mariadb-java-client'
+    runtimeOnly 'org.mariadb.jdbc:mariadb-java-client:3.1.0'
     annotationProcessor 'org.projectlombok:lombok'
     providedRuntime 'org.springframework.boot:spring-boot-starter-tomcat'
 
@@ -166,10 +166,4 @@ ospackage {
         arch = 'amd64'
     }
 
-bootRun {
-    if ( project.hasProperty('jvmArgs') ) {
-        jvmArgs = (project.jvmArgs.split("\\s+") as List)
-
-    }
-}
 }
diff --git a/HIRS_AttestationCAPortal/src/main/resources/application.properties b/HIRS_AttestationCAPortal/src/main/resources/application.properties
index 1e1b5c54..49540c3c 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/application.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/application.properties
@@ -1,29 +1,13 @@
 
-#server.error.path=/error
-#spring.mvc.view.prefix=/WEB-INF/jsp/
-#spring.mvc.view.suffix=.jsp
-
 # Logging Config (tomcat may have further config)
-logging.level.org.springframework=DEBUG
-logging.level.org.apache.catalina=DEBUG
-logging.level.org.springframework.web: DEBUG
+logging.level.org.springframework=TRACE
+logging.level.org.apache.catalina=TRACE
+logging.level.org.springframework.web: TRACE
 logging.level.org.hibernate: ERROR
 logging.file.path=/var/log/hirs
 logging.file.name=hirs.spring.log
 # Database Config
 spring.jpa.hibernate.ddl-auto=update
-#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
-spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&sslMode=PREFERRED
-#spring.datasource.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=true&clientCertificateKeyStoreType=JKS&clientCertificateKeyStorePassword="123456"&clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
-#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=JKS
-#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="123456"
-#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.jks
-
-#spring.datasource.hikari.data-source-properties.autoReconnect=true$useSSL=true
-#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreType=PCKS12
-#spring.datasource.hikari.data-source-properties.clientCertificateKeyStorePassword="1234"
-#spring.datasource.hikari.data-source-properties.clientCertificateKeyStoreUrl=file:/etc/hirs/certificates/HIRS/rsa_3k_sha384_certs/HIRS_db_client_rsa_3k_sha384.p12
-spring.datasource.username=hirs_db
 jakarta.persistence.sharedCache.mode = UNSPECIFIED
 spring.datasource.driver-class-name=org.mariadb.jdbc.Driver
 #spring.datasource.driver-class-name=com.mysql.cj.jdbc.Driver
@@ -43,6 +27,19 @@ server.tomcat.accesslog.prefix=Tomcat_accesslog_
 server.tomcat.accesslog.suffix=.log
 server.tomcat.accesslog.rotate=true
 
+# Tomcat TLS support
+server.port=8443
+server.ssl.enabled=true
+server.ssl.trust-store-type=JKS
+server.ssl.trust-store=/etc/hirs/certificates/HIRS/TrustStore.jks
+server.ssl.trust-alias=hirs_aca_tls_rsa_3k_sha384
+server.ssl.key-store-type=JKS
+server.ssl.key-store=/etc/hirs/certificates/HIRS/KeyStore.jks
+server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384
+
+#--server.ssl.key-store-password=123456
+#--server.ssl.trust-store-password=123456
+
 #jdbc.driverClassName = com.mysql.cj.jdbc.Driver
 #jdbc.url = jdbc:mysql://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
 #jdbc.username = root
@@ -52,4 +49,4 @@ server.tomcat.accesslog.rotate=true
 #spring.jpa.show-sql=true
 
 # DB dfault password.
-spring.datasource.password=hirs_db
+#spring.datasource.password=hirs_db
diff --git a/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties b/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
index c7c47c97..6cca0a71 100644
--- a/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
+++ b/HIRS_AttestationCAPortal/src/main/resources/hibernate.properties
@@ -1,6 +1,6 @@
-hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
-hibernate.connection.username=hirs_db
-hibernate.connection.password=hirs_db
+#hibernate.connection.url=jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&useSSL=false
+#hibernate.connection.username=hirs_db
+#hibernate.connection.password=hirs_db
 hibernate.connection.driver_class=org.mariadb.jdbc.Driver
 hibernate.dialect = org.hibernate.dialect.MariaDBDialect
 hibernate.show_sql = false
diff --git a/package/scripts/aca/aca_bootRun.sh b/package/scripts/aca/aca_bootRun.sh
index a77d10af..bbecedd8 100644
--- a/package/scripts/aca/aca_bootRun.sh
+++ b/package/scripts/aca/aca_bootRun.sh
@@ -1,13 +1,79 @@
 #!/bin/bash
 #####################################################################################
 #
-# Script to run ACA using the gradle spring pluing bootRun command with password set
+# Script to run ACA using the gradle spring pluing bootRun command with parameters
+#       parameters include setting up the DB with TLS and embedded Tomcat with TLS.
 #
-#
-####################################################################################
+#####################################################################################
 
+USE_WAR=$1
 CONFIG_FILE="/etc/hirs/aca/application.properties"
+ALG=RSA
+RSA_PATH=rsa_3k_sha384_certs
+ECC_PATH=ecc_512_sha384_certs
+SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
+LOG_FILE=/dev/null
+source $SCRIPT_DIR/../db/start_mysqld.sh
+
+if [ $ALG = "RSA" ]; then 
+   CERT_PATH="/etc/hirs/certificates/HIRS/$RSA_PATH"
+   CERT_CHAIN="$CERT_PATH/HIRS_rsa_3k_sha384_Cert_Chain.pem"
+   CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_rsa_3k_sha384.p12
+   ALIAS="hirs_aca_tls_rsa_3k_sha384"
+ else
+   CERT_PATH="/etc/hirs/certificates/HIRS/$ECC_PATH"
+   CERT_CHAIN="$CERT_PATH/HIRS_ecc_512_sha384_Cert_Chain.pem"
+   CLIENT_DB_P12=$CERT_PATH/HIRS_db_client_ecc_512_sha384.p12
+   ALIAS="hirs_aca_tls_ecc_512_sha384"
+fi
+
+check_for_container
+start_mysqlsd
+
+# Check for sudo or root user 
+if [ "$EUID" -ne 0 ]
+     then echo "This script requires root.  Please run as root" 
+     exit 1
+fi
+
+if [ ! -d "$CERT_PATH" ]; then
+     echo "$CERT_PATH directory does not exist. Please run aca_setup.sh and try again."
+     exit 1;
+fi
 
 echo "Starting HIRS ACA on https://localhost:8443/HIRS_AttestationCAPortal/portal/index"
 
-./gradlew bootRun --args="--spring.config.location=$CONFIG_FILE"
\ No newline at end of file
+source /etc/hirs/aca/aca.properties;
+
+echo "Client Keystore is $CLIENT_DB_P12"
+echo "DB using $hirs_db_username user and user password $hirs_db_password"
+echo "Server PKI chain is $CERT_CHAIN"
+echo "Server password is $hirs_pki_password"
+echo "Tomcat key alias is $ALIAS"
+
+# Run the embedded tomcat server with Web TLS enabled and database client TLS enabled by overrding critical parameters
+# Note "&" is a sub parameter continuation, space represents a new parameter. Spaces and quotes matter.
+# hibernate.connection.url is used for the DB connector which established DB TLS connectivity
+# server.ssl arguments support the embeded tomcats use of TLS for the ACA Portal
+ARGS="--hibernate.connection.url=\"jdbc:mariadb://localhost:3306/hirs_db?autoReconnect=true&\
+user=\"$hirs_db_username\"&\
+password=\"$hirs_db_password\"&\
+sslMode=VERIFY_CA&\
+serverSslCert=$CERT_CHAIN&\
+keyStoreType=PKCS12&\
+keyStorePassword=\"$hirs_pki_password\"&\
+keyStore="$CLIENT_DB_P12" \
+--server.ssl.key-store-password=\"$hirs_pki_password\" \
+--server.ssl.trust-store-password=\"$hirs_pki_password\"\""
+
+# --hibernate.connection.driver_class=\"org.mariadb.jdbc.Driver\" \
+
+echo "--args="$ARGS""
+
+if [ "$USE_WAR" == "war" ]; then
+    echo "Booting the ACA from a $USE_WAR file..."
+    java -jar HIRS_AttestationCAPortal/build/libs/HIRS_AttestationCAPortal.war $ARGS
+else 
+   echo "Booting the ACA from local build..."
+   ./gradlew bootRun --args="\"$ARGS\""
+fi
diff --git a/package/scripts/aca/aca_setup.sh b/package/scripts/aca/aca_setup.sh
index 5e9e03f7..37266bcb 100644
--- a/package/scripts/aca/aca_setup.sh
+++ b/package/scripts/aca/aca_setup.sh
@@ -12,12 +12,34 @@ LOG_FILE="$LOG_DIR$LOG_FILE_NAME"
 echo "LOG_FILE is $LOG_FILE"
 
 if [ "$EUID" -ne 0 ]
-      then echo "The first time this script is run, this script requires root.  Please run as root"
+      then echo "This script requires root.  Please run as root"
       exit 1
 fi
 
 mkdir -p $HIRS_CONF_DIR $LOG_DIR $HIRS_PROP_DIR
 
+# Process parameters
+# Argument handling https://stackoverflow.com/questions/192249/how-do-i-parse-command-line-arguments-in-bash
+POSITIONAL_ARGS=()
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --skip-db)
+      ARG_SKIP_DB=YES
+      shift # past argument
+      ;;
+    -*|--*)
+      echo "aca_setup.sh: Unknown option $1"
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+set -- "${POSITIONAL_ARGS[@]}" # restore positional parameters
+ 
 echo "HIRS ACA Setup initiated on $(date +%Y-%m-%d)" > "$LOG_FILE"
 
 pushd $SCRIPT_DIR &>/dev/null
@@ -39,12 +61,15 @@ if [ -f $SPRING_PROP_FILE ]; then
    cp -n $VENDOR_TABLE $HIRS_PROP_DIR/.
 fi
 
-sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
-if [ $? -eq 0 ]; then 
-      echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
-  else
-    echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
-    exit 1
+if [ -z "${ARG_SKIP_DB}" ]; then
+   sh ../pki/pki_setup.sh $LOG_FILE $PKI_PASS
+   if [ $? -eq 0 ]; then 
+        echo "ACA PKI  setup complete" | tee -a "$LOG_FILE"
+      else
+        echo "Error setting up ACA PKI" | tee -a "$LOG_FILE"
+      exit 1
+   fi
+   echo "Warning: Database setup not run due to command line argument: $@" | tee -a "$LOG_FILE"
 fi
 
 sh ../db/db_create.sh $LOG_FILE
@@ -55,7 +80,6 @@ if [ $? -eq 0 ]; then
     exit 1
 fi
 
-
  echo "ACA setup complete" | tee -a "$LOG_FILE"
 
 popd &>/dev/null
\ No newline at end of file
diff --git a/package/scripts/aca/certificate_generate.sh b/package/scripts/aca/certificate_generate.sh
deleted file mode 100644
index 17f35bf6..00000000
--- a/package/scripts/aca/certificate_generate.sh
+++ /dev/null
@@ -1,90 +0,0 @@
-#!/usr/bin/env bash
-
-# Check if we're in a Docker container
-if [ -f /.dockerenv ]; then
-    DOCKER_CONTAINER=true
-else
-    DOCKER_CONTAINER=false
-fi
-
-# variables for the CA certificates
-CA_PATH=/etc/hirs/certificates
-CA_KEYSTORE=${CA_PATH}/TrustStore.jks
-
-# variables for the ACA certificates
-ACA_CERTS=/etc/hirs/aca/certificates
-ACA_KEY=${ACA_CERTS}/aca.key
-ACA_CRT=${ACA_CERTS}/aca.crt
-ACA_P12=${ACA_CERTS}/aca.p12
-ACA_JKS=${ACA_CERTS}/keyStore.jks
-ACA_CONF=${ACA_CERTS}/aca.conf
-
-# generate the OpenSSL conf file
-echo "[req]" >> ${ACA_CONF}
-echo "req_extensions=aca" >> ${ACA_CONF}
-echo "distinguished_name=distname" >> ${ACA_CONF}
-echo "" >> ${ACA_CONF}
-echo "[aca]" >> ${ACA_CONF}
-echo "keyUsage=critical,keyCertSign" >> ${ACA_CONF}
-echo "basicConstraints=critical,CA:true" >> ${ACA_CONF}
-echo "subjectKeyIdentifier=hash" >> ${ACA_CONF}
-echo "" >> ${ACA_CONF}
-echo "[distname]" >> ${ACA_CONF}
-echo "# empty" >> ${ACA_CONF}
-
-# generate the ACA signing key and self-signed certificate
-openssl req -x509 -config ${ACA_CONF} -extensions aca -days 3652 -set_serial 01 -subj "/C=US/O=HIRS/OU=Attestation CA/CN=$HOSTNAME" -newkey rsa:2048 -nodes -keyout ${ACA_KEY} -out ${ACA_CRT}
-
-# if the trust store already has an older HIRS_ACA_KEY in it, remove it
-keytool -list -keystore ${CA_KEYSTORE} -storepass password -alias HIRS_ACA_KEY
-rc=$?
-if [[ $rc = 0 ]]; then
-	keytool -delete -alias HIRS_ACA_KEY -storepass password -keystore ${CA_KEYSTORE}
-fi
-
-# load the generated certificate into the CA trust store
-keytool -import -keystore ${CA_KEYSTORE} -storepass password -file ${ACA_CRT} -noprompt -alias HIRS_ACA_KEY
-
-# export the cert and key to a p12 file
-openssl pkcs12 -export -in ${ACA_CRT} -inkey ${ACA_KEY} -out ${ACA_P12} -passout pass:password
-
-# create a key store using the p12 file
-keytool -importkeystore -srckeystore ${ACA_P12} -destkeystore ${ACA_JKS} -srcstoretype pkcs12 -srcstorepass password -deststoretype jks -deststorepass password -noprompt -alias 1 -destalias HIRS_ACA_KEY
-
-# set the password in the aca properties file
-sed -i "s/aca\.keyStore\.password\s*=/aca.keyStore.password=password/" /etc/hirs/aca/aca.properties
-
-# copy the trust store to the ACA
-cp ${CA_KEYSTORE} /etc/hirs/aca/client-files/
-
-# start up the tomcat service
-
-# Guess where Tomcat is installed and what it's called:
-if [ -d /usr/share/tomcat6 ] ; then
-    TOMCAT_SERVICE=tomcat6
-elif [ -d /usr/share/tomcat ] ; then
-    TOMCAT_SERVICE=tomcat
-else
-    echo "Can't find Tomcat installation"
-    exit 1
-fi
-
-# restart tomcat after updating the trust store.
-if [ $DOCKER_CONTAINER = true ]; then
-    # If in Docker container, avoid services that invoke the D-Bus
-    if [[ $(ss -t -l -n | grep -q LISTEN.*:::8009) -eq 0 ]]; then
-        echo "Tomcat is running, so we restart it."
-        /usr/libexec/tomcat/server stop
-        # Wait for Tomcat to stop completely and prevent port bind collisions
-        while [ -z "$(tail -n 1 /var/log/tomcat/catalina.$(date +"%Y-%m-%d").log | grep "Destroying ProtocolHandler \[\"http-bio-8443\"\]")" ]; do
-            :
-        done
-        (/usr/libexec/tomcat/server start) &
-        # Wait for Tomcat to boot completely
-        until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
-            :
-        done
-    fi
-else
-    /sbin/service ${TOMCAT_SERVICE} restart;
-fi
diff --git a/package/scripts/common/firewall_configure_tomcat.sh b/package/scripts/common/firewall_configure_tomcat.sh
deleted file mode 100644
index 69064592..00000000
--- a/package/scripts/common/firewall_configure_tomcat.sh
+++ /dev/null
@@ -1,26 +0,0 @@
-if ! [ $(id -u) = 0 ]; then
-   echo "Please run this script as root."
-   exit 1
-fi
-
-if [[ -f /etc/redhat-release ]] ; then
-CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
-elif [[ -f /etc/os-release ]] ; then
-AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
-fi
-
-if [ $CENTOS_VER -eq "6" ] ; then
-	checkHTTPS=`iptables-save | grep -- "--dport 8443 -j ACCEPT"`
-	if [[ $checkHTTPS == "" ]]; then
-	    echo "Tomcat HTTPS firewall rule doesn't exist, adding now"
-	    iptables -I INPUT 1 -p tcp -m tcp --dport 8443 -j ACCEPT
-	    service iptables save
-	fi
-elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
-	firewall-cmd --direct --permanent --add-rule ipv4 filter INPUT 0 -p tcp --dport 8443 -j ACCEPT
-	firewall-cmd --reload
-else
-	echo "Unsupported Linux detected"
-	exit 1
-fi
-
diff --git a/package/scripts/common/get_centos_major_version.sh b/package/scripts/common/get_centos_major_version.sh
deleted file mode 100644
index 83475610..00000000
--- a/package/scripts/common/get_centos_major_version.sh
+++ /dev/null
@@ -1 +0,0 @@
-cat /etc/redhat-release | grep -Eo "release [0-9]" | tail -c 2
\ No newline at end of file
diff --git a/package/scripts/common/get_db_service.sh b/package/scripts/common/get_db_service.sh
deleted file mode 100644
index 76be3c03..00000000
--- a/package/scripts/common/get_db_service.sh
+++ /dev/null
@@ -1,8 +0,0 @@
-if [[ $(rpm -qa mariadb*) ]]; then
-  echo "mariadb"
-elif [[ $(rpm -qa mysql-server*) ]]; then
-  echo "mysqld"
-else
-  echo "Could not determine installed database"
-  exit 1
-fi
\ No newline at end of file
diff --git a/package/scripts/common/jvm_version_check.sh b/package/scripts/common/jvm_version_check.sh
deleted file mode 100755
index 3292bd10..00000000
--- a/package/scripts/common/jvm_version_check.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-# only argument to this script is the java command to use in this version check
-JAVA_SPEC_VER=`$1 -XshowSettings:properties -version 2>&1 | grep java.specification.version | grep -Eo "[0-9]\.[0-9]+"`
-case "$JAVA_SPEC_VER" in
-    "1.8"|"1.9"|"1.10"|"1.11"|"1.12" ) ;;
-    * ) echo "HIRS needs to be run with a JVM supporting at least specification 1.8.  Found $JAVA_SPEC_VER." && exit 1 ;;
-esac
diff --git a/package/scripts/common/my.cnf.el7 b/package/scripts/common/my.cnf.el7
deleted file mode 100644
index c96f1996..00000000
--- a/package/scripts/common/my.cnf.el7
+++ /dev/null
@@ -1,8 +0,0 @@
-#begin-hirs-cfg
-ssl-ca=/etc/hirs/certificates/mysql/hirs.ca.cert
-ssl-cert=/etc/hirs/certificates/mysql/hirs-cert.pem
-ssl-key=/etc/hirs/certificates/mysql/hirs-key.pem
-innodb_large_prefix=1
-innodb_file_format=BARRACUDA
-innodb_file_per_table=1
-#end-hirs-cfg
diff --git a/package/scripts/common/secure_mysql.sql b/package/scripts/common/secure_mysql.sql
deleted file mode 100644
index 8589affe..00000000
--- a/package/scripts/common/secure_mysql.sql
+++ /dev/null
@@ -1,5 +0,0 @@
-DELETE FROM mysql.user WHERE User='';
-DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
-DROP DATABASE IF EXISTS test;
-DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
-FLUSH PRIVILEGES
diff --git a/package/scripts/common/ssl_configure.sh b/package/scripts/common/ssl_configure.sh
deleted file mode 100755
index 3dc49c55..00000000
--- a/package/scripts/common/ssl_configure.sh
+++ /dev/null
@@ -1,253 +0,0 @@
-#!/usr/bin/env bash
-
-# certificates and key stores generated by this script
-CERTIFICATES="/etc/hirs/certificates"
-CA_CERT=${CERTIFICATES}/hirs.ca.cert
-INTERNAL_P12=${CERTIFICATES}/hirs.p12
-KEYSTORE_JKS=${CERTIFICATES}/keyStore.jks
-TRUSTSTORE_JKS=${CERTIFICATES}/TrustStore.jks
-CA_CERT_DIR_ESCAPED=\\/etc\\/hirs\\/certificates
-
-# 'private' data generated by this script
-CA_PEM=${CERTIFICATES}/private/hirs.ca.pem
-P12_DATA=${CERTIFICATES}/private/p12.data
-
-echo 'Checking SSL configuration for HIRS'
-
-# Check if we're in a Docker container
-if [ -f /.dockerenv ]; then
-    DOCKER_CONTAINER=true
-else
-    DOCKER_CONTAINER=false
-fi
-
-#################
-# Key Generation
-#################
-
-# if the CA PEM file does not exist, generate the HIRS CA file and associated keystore and truststores
-if ! [ -f $CA_PEM ]; then
-    echo 'Generating certificates'
-    # create directory structure
-    mkdir -p ${CERTIFICATES}/private
-
-    # Generate our random key store password.  We need to do this before  configuring Tomcat, as we'll
-    # need to add it to Tomcat's configuration file. Read a block of raw data bytes from /dev/urandom
-    # and convert it to text characters. Not the greatest, but hey:
-    echo 'Creating random key material'
-    P12_PASSWORD=$(head -c 64 /dev/urandom | md5sum | tr -dc 'a-zA-Z0-9')
-
-    # generate a key and certificate. The key is the private key used to sign the well known CA cert.
-    echo 'Creating 2048 bit key'
-    openssl req -x509 -nodes -days 3652 -newkey rsa:2048 -keyout ${CA_PEM} -out ${CA_CERT} -subj "/C=US/O=HIRS/OU=Common/CN=$(hostname)"
-
-    # export the certificate and key as a p12 file
-    echo 'Exporting key'
-    openssl pkcs12 -export -in ${CA_CERT} -inkey ${CA_PEM} -out ${INTERNAL_P12} -passout pass:${P12_PASSWORD}
-
-    # create a key store using the pk12 file.
-    echo 'Configuring keystore'
-    keytool -importkeystore -srckeystore ${INTERNAL_P12} -destkeystore ${KEYSTORE_JKS} -srcstoretype pkcs12 -srcstorepass ${P12_PASSWORD} -deststoretype jks -deststorepass ${P12_PASSWORD} -noprompt
-
-    # import the root CA certificate into the trust store.
-    echo 'Configuring truststore'
-    keytool -import -keystore ${TRUSTSTORE_JKS} -storepass password -file ${CA_CERT} -noprompt
-
-    # write P12 password to file
-    echo $P12_PASSWORD > $P12_DATA
-
-    # set appropriate permissions on certificates
-    chmod 775 /etc/hirs/certificates/
-    chmod -R 664 /etc/hirs/certificates/*
-    chmod 700 /etc/hirs/certificates/private
-    chmod -R 600 /etc/hirs/certificates/private/*
-else
-    # if the certificate was previously generated, grab the P12 password out of the file
-    P12_PASSWORD=`cat $P12_DATA`
-fi
-
-#################
-# ActiveMQ
-#################
-
-if [[ $1 = "server" ]]; then
-    if [ -f "/srv/activemq/current/conf/activemq.xml" ] ; then
-        if [[ -n `grep -o "keyStorePassword=\"\"" /srv/activemq/current/conf/activemq.xml` ]]; then
-            echo "Configuring ActiveMQ SSL"
-
-            # set the key store password for the messaging service
-            sed -i -r "s/keyStorePassword=\"\w*\"/keyStorePassword=\"${P12_PASSWORD}\"/g" /srv/activemq/current/conf/activemq.xml
-        fi
-    fi
-fi
-
-#################
-# Tomcat
-#################
-
-if [[ $1 = "server" ]]; then
-    # determine which version of tomcat is installed
-    rpm -q tomcat6
-    if [[ $? -eq 0 ]]; then
-        TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
-    else
-        TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
-    fi
-
-    TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
-
-    if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
-        CATALINA_HOME=/usr/share/tomcat6
-        TOMCAT_SERVICE=tomcat6
-        TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
-    elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
-        CATALINA_HOME=/usr/share/tomcat
-        TOMCAT_SERVICE=tomcat
-        TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
-    else
-        echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
-        exit 1
-    fi
-
-    if [[ -z `grep -o "keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\"" $CATALINA_HOME/conf/server.xml` ]]; then
-        echo "Configuring Tomcat SSL"
-
-        chown -R root:tomcat /etc/hirs/certificates/
-
-        # create an alias in the keystore for tomcat
-        alias=$(keytool -list -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD} | grep -B2 'PrivateKeyEntry' | grep 'Alias name:')
-        keytool -changealias -alias ${alias#*:} -destalias tomcat -v -keystore ${KEYSTORE_JKS} -storepass ${P12_PASSWORD}
-
-        # Set up Tomcat.  We need to ensure that Tomcat is running as a service
-        chkconfig ${TOMCAT_SERVICE} on
-
-        # Configure the server.xml file such that it uses our key store and trust store
-        if [ $DOCKER_CONTAINER = true ]; then
-            # If in Docker container, avoid services that invoke the D-Bus
-            if [[ $(pgrep -c -f /usr/share/tomcat) -ne 0 ]]; then
-                echo "Tomcat is running, so we stop it."
-                /usr/libexec/tomcat/server stop
-            fi
-        else
-            service ${TOMCAT_SERVICE} stop
-        fi
-
-        # Configure Tomcat SSL properly.  The method for doing this changes from 6.0.38 onward.
-        rpmdev-vercmp 6.0.38 $TOMCAT_VERSION
-        VERCMP_STATUS=$?
-        if [[ $VERCMP_STATUS -eq 0 ]] || [[ $VERCMP_STATUS -eq 12 ]]; then
-            # Tomcat v 6.0.38 or newer
-            sed -i "s/.*<\/Service>/<Connector port=\"8443\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" sslEnabledProtocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
-        elif [[ $VERCMP_STATUS -eq 11 ]]; then
-            # Older than Tomcat 6.0.38
-            sed -i "s/.*<\/Service>/<Connector port=\"8443\" label=\"HIRS\" protocol=\"HTTP\/1.1\" compression=\"on\" compressionMinSize=\"2048\" compressableMimeType=\"text\/html, text\/xml\" SSLEnabled=\"true\" maxThreads=\"150\" scheme=\"https\" secure=\"true\" clientAuth=\"want\" sslProtocol=\"TLS\" protocols=\"TLSv1.2\" ciphers=\"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384\" SSLDisableCompression=\"true\" keystoreFile=\"${CA_CERT_DIR_ESCAPED}\/keyStore.jks\" keystorePass=\"$P12_PASSWORD\" truststoreFile=\"${CA_CERT_DIR_ESCAPED}\/TrustStore.jks\" truststorePass=\"password\" \/><\/Service>/" $CATALINA_HOME/conf/server.xml
-        else
-            echo "Unknown rpmdev-vercmp exit code: ${VERCMP_STATUS}"
-            exit 1
-        fi
-
-        sed -i 's/.*<\/tomcat-users>/<user username="tomcat" password="tomcat" roles="admin,admin-gui,manager,manager-gui"\/> <\/tomcat-users>/' $CATALINA_HOME/conf/tomcat-users.xml
-
-        # ensure tomcat is using the trust store and key store for all other SSL operations.
-        cat << EOF >> ${TOMCAT_CONF}
-#begin-hirs-conf
-JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -Xmx1536m -Djavax.net.ssl.keyStore=${KEYSTORE_JKS} -Djavax.net.ssl.keyStorePassword=${P12_PASSWORD} -Djavax.net.ssl.trustStore=${TRUSTSTORE_JKS} -Djavax.net.ssl.trustStorePassword=password"
-#end-hirs-conf
-EOF
-
-        # (3) set tomcat user as owner of tomcat installation
-        chgrp -R tomcat ${CATALINA_HOME}
-
-        if [ $DOCKER_CONTAINER = true ]; then
-            # If in Docker container, avoid services that invoke the D-Bus
-            (/usr/libexec/tomcat/server start) &
-            # Wait for Tomcat to boot completely
-            until [ "`curl --silent --connect-timeout 1 -I http://localhost:8080 | grep 'Coyote'`" != "" ]; do
-                :
-            done
-        else
-            service ${TOMCAT_SERVICE} start
-        fi
-    fi
-fi
-
-#################
-# Appraiser
-#################
-
-if [[ $1 = "appraiser" ]]; then
-    APPRAISER_SCRIPT="/opt/hirs/appraiser/bin/HIRS_Appraiser"
-    
-    if [[ -z `grep -o "\-Djavax.net.ssl.keyStorePassword" $APPRAISER_SCRIPT` ]]; then
-        echo "Configuring Appraiser SSL"
-
-        # grab the line number of the JVM options for the client script
-        VM_OPTS=$(awk '/DEFAULT_JVM_OPTS/{print NR; exit }' ${APPRAISER_SCRIPT})
-
-        # append the key store password to the client startup script
-        sed -i "${VM_OPTS}s/'$/ \"-Djavax.net.ssl.keyStorePassword=${P12_PASSWORD}\"\'/" ${APPRAISER_SCRIPT}
-    fi
-fi
-
-#################
-# MySQL/MariaDB
-#################
-
-if [[ $1 = "server" ]]; then
-    MYSQL_CERT_DIR=/etc/hirs/certificates/mysql/
-
-    if ! [[ -d $MYSQL_CERT_DIR ]]; then
-        echo "Configuring MySQL SSL"
-
-        # apply MySQL SSL configuration:
-        mkdir -p $MYSQL_CERT_DIR
-
-        # copy CA cert over
-        cp $CA_CERT $MYSQL_CERT_DIR/
-
-        # convert p12 key to pem
-        openssl pkcs12 -in $INTERNAL_P12 -out $MYSQL_CERT_DIR/hirs.pem -nodes -passin pass:${P12_PASSWORD} -passout pass:
-
-        # extract cert from pem into its own file
-        openssl x509 -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-cert.pem
-
-        # extract key from pem into its own file
-        openssl pkey -in $MYSQL_CERT_DIR/hirs.pem -outform PEM -out $MYSQL_CERT_DIR/hirs-key.pem
-
-        # make readable to user named 'mysql'
-        chgrp -R mysql $MYSQL_CERT_DIR
-        chmod -R 770 $MYSQL_CERT_DIR
-
-        # update MySQL/MariaDB SSL and index configuration
-	if [[ -f /etc/redhat-release ]] ; then
-	CENTOS_VER=`/opt/hirs/scripts/common/get_centos_major_version.sh`
-	elif [[ -f /etc/os-release ]] ; then
-	AMAZON_VER=`/opt/hirs/scripts/common/get_amazon_linux_major_version.sh`
-	fi
-        if [ $CENTOS_VER -eq "6" ] ; then
-            MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el6
-	elif [ $CENTOS_VER -eq "7" ] || [ $AMAZON_VER -eq "2" ] ; then
-            MYSQL_ADDITIONS_FILE=/opt/hirs/scripts/common/my.cnf.el7
-        else
-	    echo "Unsupported Linux detected"
-            exit 1
-        fi
-
-        sed -i "/\[mysqld\]/r $MYSQL_ADDITIONS_FILE" /etc/my.cnf
-
-        if [ $DOCKER_CONTAINER  = true ]; then
-            # If in Docker container, avoid services that invoke the D-Bus
-            if [[ $(pgrep -c -u mysql mysqld) -ne 0 ]]; then
-                echo "MariaDB is running, so we'll need to restart it."
-                mysqladmin shutdown
-                /usr/libexec/mariadb-prepare-db-dir
-                nohup /usr/bin/mysqld_safe --basedir=/usr &>/dev/null &
-                MYSQLD_PID=$(pgrep -u mysql mysqld)
-                /usr/libexec/mariadb-wait-ready $MYSQLD_PID
-            fi
-        else
-            SQL_SERVICE=`/opt/hirs/scripts/common/get_db_service.sh`
-            service $SQL_SERVICE restart
-        fi
-    fi
-fi
diff --git a/package/scripts/common/ssl_deconfigure.sh b/package/scripts/common/ssl_deconfigure.sh
deleted file mode 100644
index 815ef7f3..00000000
--- a/package/scripts/common/ssl_deconfigure.sh
+++ /dev/null
@@ -1,92 +0,0 @@
-#!/usr/bin/env bash
-
-# certificates and key stores generated by this script
-CERTIFICATES="/etc/hirs/certificates"
-
-#################
-# Key Generation
-#################
-
-# leave certificate directory intact on uninstall
-
-#################
-# ActiveMQ
-#################
-
-# no need to deconfigure, as it will be completely removed during uninstall
-
-#################
-# Tomcat
-#################
-
-if [[ $1 = "server" ]]; then
-    # determine which version of tomcat is installed
-    rpm -q tomcat6
-    if [[ $? -eq 0 ]]; then
-        TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat6`
-    else
-        TOMCAT_VERSION=`rpm -q --qf="%{VERSION}" tomcat`
-    fi
-
-    TOMCAT_MAJOR_VERSION=`echo $TOMCAT_VERSION | head -c 1`
-
-    if [[ $TOMCAT_MAJOR_VERSION = '6' ]]; then
-        CATALINA_HOME=/usr/share/tomcat6
-        TOMCAT_SERVICE=tomcat6
-        TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat6.conf
-    elif [[ $TOMCAT_MAJOR_VERSION = '7' ]] ; then
-        CATALINA_HOME=/usr/share/tomcat
-        TOMCAT_SERVICE=tomcat
-        TOMCAT_CONF=${CATALINA_HOME}/conf/tomcat.conf
-    else
-        echo "Unsupported Tomcat version: ${TOMCAT_MAJOR_VERSION}"
-        exit 1
-    fi
-
-    if [[ -n `grep -o keystorePass $CATALINA_HOME/conf/server.xml` ]]; then
-        SERVER_CONF=${CATALINA_HOME}/conf/server.xml
-        TOMCAT_USERS=${CATALINA_HOME}/conf/tomcat-users.xml
-
-        echo "Restoring $TOMCAT_CONF"
-        sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" "$TOMCAT_CONF"
-
-        echo "Restoring $SERVER_CONF"
-        sed -i "s^<Connector port=\"8443\".*/></Service>^</Service>^" "$SERVER_CONF"
-
-        echo "Restoring $TOMCAT_USERS"
-        sed -i "s/<user username=\"tomcat\" password=\"tomcat\" roles=\"admin,admin-gui,manager,manager-gui.*<\/tomcat-users>/<\/tomcat-users>/" "$TOMCAT_USERS"
-    fi
-fi
-
-#################
-# Appraiser
-#################
-
-# no need to deconfigure, as it will be completely removed during uninstall
-
-#################
-# MySQL/MariaDB
-#################
-
-if [[ $1 = "server" ]]; then
-    MYSQL_CERT_DIR=${CERTIFICATES}/mysql/
-
-    if [[ -d $MYSQL_CERT_DIR ]]; then
-        # stop the database
-        if [[ $(rpm -qa mariadb*) ]]; then
-            service mariadb stop
-        else
-            service mysqld stop
-        fi
-
-        rm -rf $MYSQL_CERT_DIR
-        sed -i "/^#begin-hirs-conf/,/^#end-hirs-conf/d" /etc/my.cnf
-
-        # start the database
-        if [[ $(rpm -qa mariadb*) ]]; then
-            service mariadb start
-        else
-            service mysqld start
-        fi
-    fi
-fi
\ No newline at end of file
diff --git a/package/scripts/db/db_create.sh b/package/scripts/db/db_create.sh
index db3c9e0e..8b5db7bb 100644
--- a/package/scripts/db/db_create.sh
+++ b/package/scripts/db/db_create.sh
@@ -14,7 +14,7 @@ SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 SPRING_PROP_FILE="/etc/hirs/aca/application.properties"
 ACA_PROP_FILE="/etc/hirs/aca/aca.properties"
 DB_ADMIN_PWD=""
-DB_USER="hirs_db"
+#DB_USER="hirs_db"
 # Db Configuration files
 DB_SRV_CONF="/etc/my.cnf.d/mariadb-server.cnf"
 DB_CLIENT_CONF="/etc/my.cnf.d/client.cnf"
@@ -35,55 +35,7 @@ touch $LOG_FILE
 mkdir -p /etc/hirs/aca/
 mkdir -p /var/log/hirs/
 
-check_for_container () {
-  # Check if we're in a Docker container
-  if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then  
-  #if [ -f /.dockerenv ]; then
-    DOCKER_CONTAINER=true
-    echo "ACA is running in a container..." | tee -a "$LOG_FILE"
-  else
-    DOCKER_CONTAINER=false
-    echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
-  fi
-  if [ -d /opt/hirs/scripts/db ]; then
-    MYSQL_DIR="/opt/hirs/scripts/db"
-  else
-   MYSQL_DIR="$SCRIPT_DIR/../db"
-  fi
-  echo "Mysql script directory is $MYSQL_DIR"
-}
-
-start_mysqlsd () {
-   # Check if mysql is already running, if not initialize
-   if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
-   # Check if running in a container
-      if [ $DOCKER_CONTAINER  = true ]; then
-      # if in Docker container, avoid services that invoke the D-Bus
-      echo "ACA is running in a container..."
-         # Check if mariadb is setup
-         if [ ! -d "/var/lib/mysql/mysql/" ]; then
-           echo "Installing mariadb"
-           /usr/bin/mysql_install_db > "$LOG_FILE"
-           chown -R mysql:mysql /var/lib/mysql/
-         fi
-       echo "Starting mysql...."
-       chown -R mysql:mysql /var/log/mariadb
-       /usr/bin/mysqld_safe &
-     else
-       SQL_SERVICE="mariadb"
-       systemctl $SQL_SERVICE enable
-       systemctl $SQL_SERVICE start
-     fi
-   fi  # mysql not running 
-
-  # Wait for mysql to start before continuing.
-  echo "Checking mysqld status..."| tee -a "$LOG_FILE"
-  while ! mysqladmin ping -h "$localhost" --silent; do
-  sleep 1;
-  done
-
-  echo "mysqld is running."| tee -a "$LOG_FILE"
-}
+source start_mysqld.sh
 
 check_mysql_root_pwd () {
   # Check if DB root password needs to be obtained
@@ -111,17 +63,17 @@ check_mysql_root_pwd () {
 
 set_mysql_server_tls () {
   # Check DB server setup. If ssl params dont exist then we need to add them.
-  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then 
+  if [[ $(cat "$DB_SRV_CONF" | grep -c "ssl") < 1 ]]; then
     # Add TLS files to my.cnf
     echo "Updating $DB_SRV_CONF with ssl parameters..." | tee -a "$LOG_FILE"
     echo "ssl_ca=$SSL_DB_SRV_CHAIN" >> "$DB_SRV_CONF"
     echo "ssl_cert=$SSL_DB_SRV_CERT" >> "$DB_SRV_CONF"
     echo "ssl_key=$SSL_DB_SRV_KEY" >> "$DB_SRV_CONF"
-    # Make sure mysql can access them 
+    # Make sure mysql can access them
     chown mysql $SSL_DB_SRV_CHAIN $SSL_DB_SRV_CERT $SSL_DB_SRV_KEY
   else
        echo "mysql.cnf contians existing entry for ssl, skipping..." | tee -a "$LOG_FILE"
-  fi   
+  fi
 }
 
 set_mysql_client_tls () {
diff --git a/package/scripts/db/db_create.sql b/package/scripts/db/db_create.sql
index 510295bc..a803ebcb 100644
--- a/package/scripts/db/db_create.sql
+++ b/package/scripts/db/db_create.sql
@@ -1,2 +1,2 @@
 CREATE DATABASE IF NOT EXISTS `hirs_db` CHARACTER SET = 'utf8mb4' COLLATE = 'utf8mb4_general_ci';
-GRANT ALL  ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE SSL;
\ No newline at end of file
+GRANT ALL  ON hirs_db.* TO "hirs_db"@"localhost" IDENTIFIED BY "$HIRS_DB_PWD" REQUIRE X509;
\ No newline at end of file
diff --git a/package/scripts/db/start_mysqld.sh b/package/scripts/db/start_mysqld.sh
new file mode 100644
index 00000000..8e0a2731
--- /dev/null
+++ b/package/scripts/db/start_mysqld.sh
@@ -0,0 +1,57 @@
+#!/bin/bash
+#####################################################################################
+#
+# Function to check mysql and start if not running.
+#    Also a function for checking if running in a container
+#
+#####################################################################################
+
+check_for_container () {
+  # Check if we're in a Docker container
+  if [[ $(cat /proc/1/sched | head -n 1) == *"bash"* ]]; then  
+  #if [ -f /.dockerenv ]; then
+    DOCKER_CONTAINER=true
+    echo "ACA is running in a container..." | tee -a "$LOG_FILE"
+  else
+    DOCKER_CONTAINER=false
+    echo "ACA is not running in a container..." | tee -a "$LOG_FILE"
+  fi
+  if [ -d /opt/hirs/scripts/db ]; then
+    MYSQL_DIR="/opt/hirs/scripts/db"
+  else
+   MYSQL_DIR="$SCRIPT_DIR/../db"
+  fi
+  echo "Mysql script directory is $MYSQL_DIR"
+}
+
+start_mysqlsd () {
+   # Check if mysql is already running, if not initialize
+   if [[ $(pgrep -c -u mysql mysqld) -eq 0 ]]; then
+   # Check if running in a container
+      if [ $DOCKER_CONTAINER  = true ]; then
+      # if in Docker container, avoid services that invoke the D-Bus
+      echo "ACA is running in a container..."
+         # Check if mariadb is setup
+         if [ ! -d "/var/lib/mysql/mysql/" ]; then
+           echo "Installing mariadb"
+           /usr/bin/mysql_install_db > "$LOG_FILE"
+           chown -R mysql:mysql /var/lib/mysql/
+         fi
+       echo "Starting mysql...."
+       chown -R mysql:mysql /var/log/mariadb
+       /usr/bin/mysqld_safe &
+     else
+       SQL_SERVICE="mariadb"
+       systemctl $SQL_SERVICE enable
+       systemctl $SQL_SERVICE start
+     fi
+   fi  # mysql not running 
+
+  # Wait for mysql to start before continuing.
+  echo "Checking mysqld status..."| tee -a "$LOG_FILE"
+  while ! mysqladmin ping -h "$localhost" --silent; do
+  sleep 1;
+  done
+
+  echo "mysqld is running."| tee -a "$LOG_FILE"
+}
\ No newline at end of file
diff --git a/package/scripts/pki/pki_chain_gen.sh b/package/scripts/pki/pki_chain_gen.sh
index d83f2643..386f38be 100644
--- a/package/scripts/pki/pki_chain_gen.sh
+++ b/package/scripts/pki/pki_chain_gen.sh
@@ -29,6 +29,7 @@ SERVER_DN="/C=US/ST=MD/L=Columbia/O="$ACTOR"/CN="$ACTOR" aca"
 # Capture location of the script to allow from invocation from any location
 SCRIPT_DIR=$( dirname -- "$( readlink -f -- "$0"; )"; )
 TRUSTSTORE=TrustStore.jks
+TRUSTSTORE_P12=TrustStore.p12
 KEYSTORE=KeyStore.jks
 
 # Parameter check 
@@ -216,11 +217,15 @@ create_cert_chain () {
    
    # Make JKS files for the mysql DB connector. P12 first then JKS...
    openssl pkcs12 -export -in $DB_CLIENT.pem -inkey $DB_CLIENT.key -aes256 \
-        -passin pass:"$PASS" -aes256 -passout pass:$PASS \
+        -passin pass:"$PASS"-passout pass:$PASS -aes256  \
         -name "mysqlclientkey" -out $DB_CLIENT.p12
 
-   keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype pkcs12 \
+   keytool -importkeystore -srckeystore $DB_CLIENT.p12 -srcstoretype PKCS12 \
          -srcstorepass $PASS -destkeystore $DB_CLIENT.jks -deststoretype JKS -deststorepass $PASS
+         
+   # Make a p12 TrustStore 
+   keytool -importkeystore -srckeystore $TRUSTSTORE -destkeystore $TRUSTSTORE_P12 \
+         -srcstoretype JKS -deststoretype PKCS12 -srcstorepass $pass -deststorepass $pass -noprompt
 }
 
 if [ "$ASYM_ALG" == "rsa" ]; then
diff --git a/package/scripts/pki/pki_setup.sh b/package/scripts/pki/pki_setup.sh
index cd094581..33b67b75 100644
--- a/package/scripts/pki/pki_setup.sh
+++ b/package/scripts/pki/pki_setup.sh
@@ -7,6 +7,7 @@
 ############################################################################################
 
 PROP_FILE=/etc/hirs/aca/application.properties
+ACA_PROP=/etc/hirs/aca/aca.properties
 LOG_FILE=$1
 PKI_PASS=$2
 LOG_FILE_NAME="hirs_aca_install_"$(date +%Y-%m-%d).log
@@ -30,7 +31,7 @@ fi
 
 # Check for sudo or root user 
 if [ "$EUID" -ne 0 ]
-        then echo "The first time this script is run, this script requires root.  Please run as root" | tee -a "$LOG_FILE"
+        then echo "This script requires root.  Please run as root" | tee -a "$LOG_FILE"
         exit 1
 fi
 
@@ -64,6 +65,7 @@ if [ ! -d "/etc/hirs/certificates" ]; then
   echo "server.ssl.key-alias=hirs_aca_tls_rsa_3k_sha384">> $PROP_FILE
   echo "server.ssl.key-store-password="$PKI_PASS >> $PROP_FILE
   echo "server.ssl.trust-store-password="$PKI_PASS >> $PROP_FILE
+  echo "hirs_pki_password="$PKI_PASS >>  $ACA_PROP
 else 
   echo "/etc/hirs/certificates exists, skipping" | tee -a "$LOG_FILE"
 fi