Newbie keytool command -- how to update cert already added to keystore?

Question

I have a self-signed cert for my linux email server exim. To enable my Java functions to access this email server via GlassFish, I originally issued:

# keytool -importcert -v -noprompt -alias mail.mycompany.com -file /path/to/mail.mycompany.com.der -keystore /path/to/config/cacerts.jks -storepass changeit
Certificate was added to keystore

This worked fine, until the certificate expired. I had to create a new self-signed cert, and now Java gives the error PKIX path validation failed … path does not chain with any of the trust anchors.

To attempt to fix this, I derived a new mail.mycompany.com.der file from the new exim cert (as done originally). But when I issue the above keytool command (as done originally), it gives error Certificate not imported, alias <mail.mycompany.com> already exists.

I think the problem is that I can't use that same keytool command. I need to use a different one that doesn't add the cert to the keystore, but updates the cert already there with a newer version. Anyone can point me in the right direction for that command?

As an aside, is there some automated process that I'm missing? That is, cert's expire all the time... does that mean IT admins need to always update the keystore with the new certs manually using code like this? Or, can this be automated somehow?

Answer 1

Probably the simplest way would be to have keytool delete the original cert and generate a new cert with the same information. A good way to get around this, if you have a small VM you can spare for it is to install EJBCA. It's kinda clunky, but EJBCA is a free, open source CA server written in Java. You can create your own fake CA certs, user certs, server certs, etc. that all have trust chains. Plus it's pretty good for quickly generating a new JKS file for you when you reissue a certificate after one's expired.

To delete:

keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list'