5 Replies Latest reply: May 11, 2011 5:18 AM by mohanr RSS

    Replace expired intermediate certificate(Two-way SSL )

      I have checked my keystore and truststore and the intermediate certificate alone is going to expire.

      I have received a pem and I know that I can convert it to a .DER if required using OpenSSL.

      Now I have a question.

      How do I replace only the intermediate certificate in both stores without messing them up ? Should I just import it like this using the same command into both stores ?

      keytool -import -trustcacerts -alias root -file <certificate> -keystore keystore.jks

      It should be possible. Right ? I don't want to rebuild any of the stores.

      I believe it is common practice to just replace an expiring intermediate certificate instead of the root. The root will expire in2025.

      Update :

      The trust store contains the intermediate certificate with a clear alias and I could access it.
      The key store seems to have the entire chain. Not sure if it is possible to update only the intermediate certificate here.
        • 1. Re: Replace expired intermediate certificate(Two-way SSL )
          Should work OK. You could always try it on a copy of the keystores.
          • 2. Re: Replace expired intermediate certificate(Two-way SSL )
            I am going to try.

            I think now I am looking at a chain in the keystore using these commands.

            keytool -export -alias <alias> -file chain.crt -keystore <keystore>
            openssl x509 -in intermediate.crt -noout -inform DER -text

            So as of now I am not sure how to separately update the intermediate cert. alone in the keystore. If I update it then a new alias is created and it is not chained properly

            I don't foresee any problem with the truststore though because the alias is clear there.
            • 3. Re: Replace expired intermediate certificate(Two-way SSL )
              As I mentioned replacing the cert in the truststore was quite straightforward.

              Hopefully someone has experience with replacing it in the keystore too ?
              • 4. Re: Replace expired intermediate certificate(Two-way SSL )
                The keystore entry for a private key contains the entire chain, so you would have to build that externally somehow. I don't think it really makes sense. When the intermediate cert expires you should really generate a new CSR from your private key, get it newly signed by the CA, and import the resulting keychain you get back from the CA.
                • 5. Re: Replace expired intermediate certificate(Two-way SSL )
                  It looks like it makes sense. We have done that for IIS when we replaced just the expired intermediate.

                  Somehow I was hoping to avoid building the store again.

                  Update :

                  I tried to build a new key store based on an earlier thread.

                  1. Import the keystore from JKS to PKCS12. This includes the private key, certificate, intermediate and root.

                  "C:\Program Files\Java\jdk1.6.0_18\bin\keytool" -importkeystore -srckeystore store_1.jks -destkeystore mystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass test -deststorepass mysecret -srcalias test -destalias myalias -srckeypass keypass -destkeypass mykeypass -noprompt

                  2. Convert pkcs12 to pem using openssl

                  openssl pkcs12 -in mystore.p12 -out mystore.pem -passin pass:mysecret -passout pass:mysecret

                  3. Replace only the ASCII text of the new sub root( intermediate )

                  4. Build a new store like this using http://juliusdavies.ca/commons-ssl/download.html

                  java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder 'password' mystore.pem

                  and I get this error

                  D:\project\Visa\storebuild>java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder 'password' mystore.pem
                  Exception in thread "main" java.security.KeyStoreException: Can't build keystore: [Private key missing (bad password?)]
                  at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:158)
                  at org.apache.commons.ssl.KeyStoreBuilder.build(KeyStoreBuilder.java:97)
                  at org.apache.commons.ssl.KeyStoreBuilder.main(KeyStoreBuilder.java:566)

                  Edited by: Mohan on May 11, 2011 2:25 AM

                  One more update :

                  It looks like this not-yet-commons-ssl-0.3.11.jar could be the saviour. This procedure actually seems to work. Now the chain is rebuilt.

                  Everytime I work with SSL I go through this painful experience.

                  Edited by: Mohan on May 11, 2011 3:16 AM