Nearly two months ago I published my OpenSSL scribblings post. This one is the spiritual successor, addressing Java Keystore handling this time. There are already a lot of good web sites on how to handle the keytool, so I will limit myself to the issues I encounter from time to time which are more difficult to figure out. Similar to the last post I will use COMODO as CA and ssl.example.org as domain.
Adding a new certificate to a keystore
The full certificate chain
The certificate itself
The certificate private key
First concatenate the cert chain if not already in one file. A Comodo speciality is the occasional inclusion of Windows line breaks, so we use sed for output to substitute any occurence of these. Additionally we ensure that the certificate starts on a newline:
sed -e 's/\r$/\n/g' root-ca.pem intermediate-ca.pem > cabundle.pem
Afterwards create a P12 keystore containing the private key, the cert and the certificate chain:
To my knowledge there’s no proper way to add a renewed (same private key, different cert) certificate. Therefore the process of adding a renewed certificate consists of:
Exporting the private key from the key store (see “Exporting a Private Key from Keystore to PEM”)
Deleting the old key pair from the key store (keytool -delete -alias ssl.example.org -keystore ssl.example.org.jks)
Adding the new key pair with certificate chain (see “Adding a new cert to a keystore”)
In the end, I can recommend using Keystore Explorer for quick changes. The application visualizes keystores very well and has been in constant development (as of August 2017). It is a nice GUI tool for most keystore related tasks.