Home > Back-end >  Excuse me, how to replace the keystore file (keystore) of intermediate CA certificate expired?
Excuse me, how to replace the keystore file (keystore) of intermediate CA certificate expired?

Time:10-22


Excuse me, how to replace the keystore file (keystore) of intermediate CA certificate expired?

I have a run on the server keystore keystore file, to support the Tomcat TLS/HTTPS services, for Java Web App, the keystore file, there are three certificate:
Terminal certificate (tomcat)
Intermediate CA certificate (my_ssl_ca_v2_b)
CA root (my_root_ca)

This is certificate repository list,
 
C: \ Program Files \ Java \ jre1.8.0 _144 \ bin> Keytool. Exe - list - keystore C: \ mycert \
My. Keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
Tomcat, Oct 10, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1) : 3 c: 15: E8: D0:46: A8:8 D: 1 f: 93: break D: 54:35: beside the daughter 1: ED: 49:44:65
My_ssl_ca_v2_b, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1) : 0 c: C3:60: CB: C6:91:0 a: 90: E4:0 g: 91: BE: 3 b: A6: D7:5 b: C3:7 b: 8 a: 0 f
My_root_ca, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1) : 6 c: whom 9: FA: A8: E5:7 d: E1:45: BE: 75-84:15: E8: D8: yet 3:59: FD: 19


It worked very well,
But a few days ago, the intermediate CA certificate file (my_ssl_ca_v2_b) is out of date, then I got the new update of intermediate CA certificate,

The question now is:
How will the keystore file is in the middle of the date the CA certificate to replace for the new certificate?

I know I can use the keytool - delete and - the import options to delete and to import the CA my_ssl_ca_v2_b,

But, how do you replace the keystore file PrivateKeyEntry tomcat (alias) the intermediate CA Certificate (Certificate [2])? As shown below,

 Alias name: tomcat 
Creation date: Oct 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate [1] :
.
.
Certificate [2] :
Owner: CN=My SSL CA v2 - A, C=O=eBay Inc, US
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 6800000004 b4491dd58df45b9b000000000004
Valid from: Wed until Oct 14 18:35:33 UTC 2015: Wed Oct 14 18:45:33 UTC 2020
.
.
Certificate [3] :
Owner: CN=My Root CA, O=eBay Inc, C=us
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 4500888247008 e884cd02d71a035810e
.


It seems I can't use the keytool - delete and - the import options to delete, and to import alias tomcat, because doing so alias tomcat becomes trustedCertEntry, not the original PrivateKeyEntry,

Please guide in the middle of the key store to replace the specific steps the CA certificate? Thank you very much!!

CodePudding user response:

Take a look at this?
https://www.cnblogs.com/Security-Darren/p/4079605.html

CodePudding user response:

This article question has little to do with me, thank you!

CodePudding user response:

Can try to update the CA Certificate to Certificate format to check the contents of [2], and then directly to the covered by let original keystore file the Certificate of [2] content,
Alternatively, you can try yourself read in the ca certificate in the program
  • Related