Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Newbie keytool command -- how to update cert already added to keystore?

Tags:

java

keytool

I have a self-signed cert for my linux email server exim. To enable my Java functions to access this email server via GlassFish, I originally issued:

# keytool -importcert -v -noprompt -alias mail.mycompany.com -file /path/to/mail.mycompany.com.der -keystore /path/to/config/cacerts.jks -storepass changeit
Certificate was added to keystore

This worked fine, until the certificate expired. I had to create a new self-signed cert, and now Java gives the error PKIX path validation failed … path does not chain with any of the trust anchors.

To attempt to fix this, I derived a new mail.mycompany.com.der file from the new exim cert (as done originally). But when I issue the above keytool command (as done originally), it gives error Certificate not imported, alias <mail.mycompany.com> already exists.

I think the problem is that I can't use that same keytool command. I need to use a different one that doesn't add the cert to the keystore, but updates the cert already there with a newer version. Anyone can point me in the right direction for that command?

As an aside, is there some automated process that I'm missing? That is, cert's expire all the time... does that mean IT admins need to always update the keystore with the new certs manually using code like this? Or, can this be automated somehow?

like image 381
ggkmath Avatar asked Dec 13 '13 17:12

ggkmath


People also ask

How do I remove old certificates from keystore?

Check the contents of the trust store by entering the following in the command prompt: <JAVA_HOME>\bin\keytool -list -v -keystore truststore -storepass access . Note the alias names of the certificates you want to remove. Enter <JAVA_HOME>\bin\keytool -delete -alias <alias name> -keystore truststore.

How do I extend certificate expiration using Keytool?

Export the private key (with keytool & openssl or through the keystore-explorer UI, which is much simpler) Make a certificate signing request (with keytool or through the keystore-explorer UI) Sign the request with the private key (i.e. self-signed) Import the certificate in the store to replace the old (expired) one.


1 Answers

Probably the simplest way would be to have keytool delete the original cert and generate a new cert with the same information. A good way to get around this, if you have a small VM you can spare for it is to install EJBCA. It's kinda clunky, but EJBCA is a free, open source CA server written in Java. You can create your own fake CA certs, user certs, server certs, etc. that all have trust chains. Plus it's pretty good for quickly generating a new JKS file for you when you reissue a certificate after one's expired.

To delete:

keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list'

like image 94
Mike Thomsen Avatar answered Sep 24 '22 01:09

Mike Thomsen