java keytool can export CSR but no import

Question

I read

http://download.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html

It says that we can export a CSR file, but no import feature.

I understand that when we create a CSR file, we pass it to the CA, the CA generates the certs to match our CSR and then we import it back again.

Because the CSR is from the keystore, the certs will match the keystore. No problems with imports.

However, what about this.

1. create a keystore
2. create a CSR based on the keystore
3. send CSR to CA
4. got certs from CA
5. somehow lost the key store
6. generate a new key store
7. import the certs
8. fail to import because this keystore has a different CSR
9. try to figure out how to create a keystore based on the old CSR file that matches the certs from the CA
10. stumped

Answer 1

I have been in the same situation.

If you have lost your key store, this means you have also lost the private key. Of course this private key is not in the CSR in plain text (It is sent to the CA after all!). There is no way of restoring it when the only thing you have is the CSR.

The CSR is generated for one specific private key. In case of a loss the only thing you can do is create a new CSR (with the new key store and new private key - don't lose it this time...) and pay another 200 or so bucks for a CA to sign it. :/

Yeah, my boss was not happy with me. :) You should really make a backup of the key store in some safe place.