Replacing expired certificates on SSL Server that uses JKS based keystore

Replacing an expired identity certificate in a JKS based keystore is pretty easy stuff, unless you have forgot to keep a backup of your private key.

This post discusses the use-case where we don't have a backup copy of the private key outside the JKS keystore, and we wish to replace the expired/going-to-expire identity certificate



There are two ways that I know of:
  • Portecle (easy) - this is a tool available out on internet
  • OpenSSL-Keytool combination (lengthy one)
I will discuss 2nd one, and would only provide commands (and not discuss each switch as you can always refer relevant product docs for it)

1. Backup the JKS keystore, suppose original is  "keystore.jks"

2. JKS -> PKCS12 conversion (pkcs12 obtained in this step would be run through OpenSSL in next step, to separate the private key from the expired certificates)

         keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass weblogic1 -deststorepass weblogic1 -srcalias server_pri_pub_cert -destalias server_pri_pub_cert -srckeypass weblogic1 -destkeypass weblogic1 -noprompt



3. Extract private and public keys (using OpenSSL):
         openssl pkcs12 -in keystore.p12 -out keystore.pem -passin pass:weblogic1 -passout pass:weblogic1


4. Take the private key obtained from above step, place it in a PEM file (say server_pri_key.pem). Use this PEM to generate a CSR if you want to!

Encrypted ---> plain (this is optional step, just in case you want to have  possession of decrypted private key )
         openssl rsa -in server_pri_key.pem -out server_pri_key_plain.pem


5. Get the newly generated public certificate from CA (this maybe a single public key or a chain, known as reply) and place its PEM format equivalent text in file "reply.pem"

 
6. Package private key and reply into pcks12:
          openssl pkcs12 -export -out newkeystore.p12 -in reply.pem -inkey server_pri_key.pem -name server_pri_pub_cert


7.  Delete existing expired key-pair from existing original JKS keystore:
         keytool -delete -alias server_pri_pub_cert -keystore keystore.jks


8. And finally import p12 into JKS:
         keytool -importkeystore -srckeystore newkeystore.p12 -destkeystore keystore.jks -srcstoretype PKCS12 -deststoretype JKS -srcstorepass weblogic1 -deststorepass weblogic1 -srcalias server_pri_pub_cert -destalias server_pri_pub_cert -srckeypass weblogic1 -destkeypass weblogic1 -noprompt

Comments

  1. Very Well, This is the best i have ever seen, you explain very well. Totally Impressive. VPS Hosting
    Germany VPS Hosting

    ReplyDelete
  2. This comment has been removed by the author.

    ReplyDelete
  3. Hi, thanks for your reach-out efforts. This is a great blog. Keep sharing important information like this I really appreciate it. And Web Hosting plays a very important role in the business world. And it is important to have the best hosting services. Get the best USA VPS Hosting service for your website.

    ReplyDelete

Post a Comment

Popular posts from this blog

Modifying the "supported" attributes of embedded ldap users/groups

Configuring Kerberos SSO for JEE application deployed on WebLogic instance running on Linux host