This content has been marked as final. Show 5 replies
Should work OK. You could always try it on a copy of the keystores.
I am going to try.
I think now I am looking at a chain in the keystore using these commands.
keytool -export -alias <alias> -file chain.crt -keystore <keystore>
openssl x509 -in intermediate.crt -noout -inform DER -text
So as of now I am not sure how to separately update the intermediate cert. alone in the keystore. If I update it then a new alias is created and it is not chained properly
I don't foresee any problem with the truststore though because the alias is clear there.
As I mentioned replacing the cert in the truststore was quite straightforward.
Hopefully someone has experience with replacing it in the keystore too ?
The keystore entry for a private key contains the entire chain, so you would have to build that externally somehow. I don't think it really makes sense. When the intermediate cert expires you should really generate a new CSR from your private key, get it newly signed by the CA, and import the resulting keychain you get back from the CA.
It looks like it makes sense. We have done that for IIS when we replaced just the expired intermediate.
Somehow I was hoping to avoid building the store again.
I tried to build a new key store based on an earlier thread.
1. Import the keystore from JKS to PKCS12. This includes the private key, certificate, intermediate and root.
"C:\Program Files\Java\jdk1.6.0_18\bin\keytool" -importkeystore -srckeystore store_1.jks -destkeystore mystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass test -deststorepass mysecret -srcalias test -destalias myalias -srckeypass keypass -destkeypass mykeypass -noprompt
2. Convert pkcs12 to pem using openssl
openssl pkcs12 -in mystore.p12 -out mystore.pem -passin pass:mysecret -passout pass:mysecret
3. Replace only the ASCII text of the new sub root( intermediate )
4. Build a new store like this using http://juliusdavies.ca/commons-ssl/download.html
java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder 'password' mystore.pem
and I get this error
D:\project\Visa\storebuild>java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder 'password' mystore.pem
Exception in thread "main" java.security.KeyStoreException: Can't build keystore: [Private key missing (bad password?)]
Edited by: Mohan on May 11, 2011 2:25 AM
One more update :
It looks like this not-yet-commons-ssl-0.3.11.jar could be the saviour. This procedure actually seems to work. Now the chain is rebuilt.
Everytime I work with SSL I go through this painful experience.
Edited by: Mohan on May 11, 2011 3:16 AM