I have a self-signed cert for my linux email server exim. To enable my Java functions to access this email server via GlassFish, I originally issued:
# keytool -importcert -v -noprompt -alias mail.mycompany.com -file /path/to/mail.mycompany.com.der -keystore /path/to/config/cacerts.jks -storepass changeit
Certificate was added to keystore
This worked fine, until the certificate expired. I had to create a new self-signed cert, and now Java gives the error PKIX path validation failed … path does not chain with any of the trust anchors
.
To attempt to fix this, I derived a new mail.mycompany.com.der
file from the new exim cert (as done originally). But when I issue the above keytool command (as done originally), it gives error Certificate not imported, alias <mail.mycompany.com> already exists.
I think the problem is that I can't use that same keytool command. I need to use a different one that doesn't add the cert to the keystore, but updates the cert already there with a newer version. Anyone can point me in the right direction for that command?
As an aside, is there some automated process that I'm missing? That is, cert's expire all the time... does that mean IT admins need to always update the keystore with the new certs manually using code like this? Or, can this be automated somehow?
Check the contents of the trust store by entering the following in the command prompt: <JAVA_HOME>\bin\keytool -list -v -keystore truststore -storepass access . Note the alias names of the certificates you want to remove. Enter <JAVA_HOME>\bin\keytool -delete -alias <alias name> -keystore truststore.
Export the private key (with keytool & openssl or through the keystore-explorer UI, which is much simpler) Make a certificate signing request (with keytool or through the keystore-explorer UI) Sign the request with the private key (i.e. self-signed) Import the certificate in the store to replace the old (expired) one.
Probably the simplest way would be to have keytool delete the original cert and generate a new cert with the same information. A good way to get around this, if you have a small VM you can spare for it is to install EJBCA. It's kinda clunky, but EJBCA is a free, open source CA server written in Java. You can create your own fake CA certs, user certs, server certs, etc. that all have trust chains. Plus it's pretty good for quickly generating a new JKS file for you when you reissue a certificate after one's expired.
To delete:
keytool -delete -keystore myfile.jks -alias 'alias_from_keytool_-list'
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With