Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to remove just one certificate from a certificate chain in a Java keystore

Tags:

java

https

ssl

ssl-certificate

keystore

I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently okay by the TLS spec, some validation services warn about it, and it's probably better to leave it off.

How can I edit the keystore to remove just the self-signed root CA certificate, but leave the rest of the chain and the private key intact?

like image 471
Robert Tupelo-Schneck Avatar asked Jul 15 '15 21:07

Robert Tupelo-Schneck

People also ask

How do I remove a certificate from a Java Keystore?

Check the contents of the trust store by entering the following in the command prompt: <JAVA_HOME>\bin\keytool -list -v -keystore truststore -storepass access . Note the alias names of the certificates you want to remove. Enter <JAVA_HOME>\bin\keytool -delete -alias <alias name> -keystore truststore.

How do I remove certificates from certificate chain?

Open your Settings, select Security. Choose Trusted Credentials. Select the certificate you'd like to remove. Press Disable.

How do I remove a certificate from a file?

Press Windows Key + R Key together, type certmgr. msc, and hit enter. You will get a new window with the list of Certificates installed on your computer. Locate the certificate you want to delete and then click on the Action button then, click on Delete.

2 Answers

keytool -delete -alias -keystore lib/security/cacerts -storepass changeit

like image 76
BruceWayne Avatar answered Sep 23 '22 09:09

BruceWayne

First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):

keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12

Next, export a PEM file with key and certs from the PKCS12 file:

openssl pkcs12 -in old.p12 -out pemfile.pem -nodes

Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").

Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.

openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12

Finally, convert back from PKCS12 to JKS:

keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12

The file new.jks is what you want.

like image 21
Robert Tupelo-Schneck Avatar answered Sep 23 '22 09:09

Robert Tupelo-Schneck
Sign in to Comment

Related questions

kryo.readObject cause NullPointerException with ArrayList
Understanding Groovy/Grails classloader leak
Thread safe InputStream in java
Copy ObservableList java
What is the relation between java.library.path and classpath
JNI GetMethodID not working for constructor of inner class
"Left join" of two different Java objects
JAX-RS: How to extend Application class to scan packages?
Catch duplicate key insert exception
NamedEntityGraph - JPA / Hibernate throwing org.hibernate.loader.MultipleBagFetchException: cannot simultaneously fetch multiple bags
JAXB unmarshal elements of XML to Map
Print a boolean value with printf [closed]
Java: com.sun.tools.javac.Main not found when trying to compile Hadoop program
Restrict tomcat in spring boot to certain ip addresses
How servlet container finds WebApplicationInitializer implementations [duplicate]
Most efficient way of splitting String in Java
Making a request parameter binding case insensitive
Reference to the final field from lambda expression
Find a single object in a collection, HashMap vs List filter
Joda DateTime equals vs isEqual

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!