I have checked my keystore and truststore and the intermediate certificate alone is going to expire.
I have received a pem and I know that I can convert it to a .DER if required using OpenSSL.
Now I have a question.
How do I replace only the intermediate certificate in both stores without messing them up ? Should I just import it like this using the same command into both stores ?
keytool -import -trustcacerts -alias root -file <certificate> -keystore keystore.jks
It should be possible. Right ? I don't want to rebuild any of the stores.
I believe it is common practice to just replace an expiring intermediate certificate instead of the root. The root will expire in2025.
The trust store contains the intermediate certificate with a clear alias and I could access it.
The key store seems to have the entire chain. Not sure if it is possible to update only the intermediate certificate here.
I am going to try.
I think now I am looking at a chain in the keystore using these commands.
keytool -export -alias <alias> -file chain.crt -keystore <keystore>
openssl x509 -in intermediate.crt -noout -inform DER -text
So as of now I am not sure how to separately update the intermediate cert. alone in the keystore. If I update it then a new alias is created and it is not chained properly
I don't foresee any problem with the truststore though because the alias is clear there.
The keystore entry for a private key contains the entire chain, so you would have to build that externally somehow. I don't think it really makes sense. When the intermediate cert expires you should really generate a new CSR from your private key, get it newly signed by the CA, and import the resulting keychain you get back from the CA.
It looks like it makes sense. We have done that for IIS when we replaced just the expired intermediate.
Somehow I was hoping to avoid building the store again.
I tried to build a new key store based on an earlier thread.
1. Import the keystore from JKS to PKCS12. This includes the private key, certificate, intermediate and root.
"C:\Program Files\Java\jdk1.6.0_18\bin\keytool" -importkeystore -srckeystore store_1.jks -destkeystore mystore.p12 -srcstoretype JKS -deststoretype PKCS12 -srcstorepass test -deststorepass mysecret -srcalias test -destalias myalias -srckeypass keypass -destkeypass mykeypass -noprompt
2. Convert pkcs12 to pem using openssl
openssl pkcs12 -in mystore.p12 -out mystore.pem -passin pass:mysecret -passout pass:mysecret
3. Replace only the ASCII text of the new sub root( intermediate )
4. Build a new store like this using http://juliusdavies.ca/commons-ssl/download.html
java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder 'password' mystore.pem
and I get this error
D:\project\Visa\storebuild>java -cp not-yet-commons-ssl-0.3.11.jar org.apache.commons.ssl.KeyStoreBuilder 'password' mystore.pem
Exception in thread "main" java.security.KeyStoreException: Can't build keystore: [Private key missing (bad password?)]
Edited by: Mohan on May 11, 2011 2:25 AM
One more update :
It looks like this not-yet-commons-ssl-0.3.11.jar could be the saviour. This procedure actually seems to work. Now the chain is rebuilt.
Everytime I work with SSL I go through this painful experience.
Edited by: Mohan on May 11, 2011 3:16 AM