0

I've tried searching for this and all the documentation seems to be from the perspective of creating a new keystore and/or a new alias. However, I have the keystore with the alias I want as a PrivateKeyEntry and the soon-to-expire Globalsign code-signing certificate installed to it.

Now, I want to know the proper procedure for updating the certificate with a new one under the same alias/PrivateKeyEntry?

TIA for your help.

Regards, B.K.

B.Kaatz
  • 181
  • 4
  • 11

2 Answers2

1

Maybe just delete an existing alias and add new one?

$ keytool -delete -alias mydomain -keystore keystore.jks

Few helper functions

$ keytool -list -v -keystore keystore.jks
$ keytool -list -v -keystore keystore.jks -alias mydomain

If you ever need to export private keys use this answer for reference. Normal keytool commands don't export private key part. How do I list / export private keys from a keystore?

Community
  • 1
  • 1
Whome
  • 10,181
  • 6
  • 53
  • 65
0

I think I got it!

The answer is:

  • Make a backup of the keystore file. 
    ~ $ cp -a ~/.keystore.jks ~/baks/20140917.keystore.jks

  • Create a new Certificate-Signing Request file from the existing alias. 
    ~ $ keytool -certreq -v -alias myApp2 -file 20140917_myApp2_certreq.csr -keystore ~/.keystore.jks

  • Go to Globalsign (or whoever your CA is), log into your account, place the order for your Code Signing Certificate Renewal.
  • Either upload the CSR file you created above, or open the file and copy the contents, including the "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----" lines, and paste it into the textbox field for the CSR.
  • When you get the response email, follow the link to the page for downloading your new certificate and download the new certificate to your system.
  • Check that the root and intermediate CA certificates are still the same. If they are different/updated, add the new ones to your keystore and/or to your "cacerts" keystore. 
    ~ $ keytool -importcert -v -alias gssha2root_r3 -keystore ./cacerts -file ./dls/GlobalSign/20140916_GlobalsignSHA256root_cert.cer

  • Install the new code-signing certificate to the same alias. 
    ~ $ keytool -importcert -v -trustcacerts -alias myApp2 -keystore ~/.keystore.jks -file ./dls/Globalsign/OS201400000001.cer

    • Seems to work as expected. I am now signing my java applets with the new cert. And, the jars are verifying with the new certificate.

    HTH.

    B.Kaatz
    • 181
    • 4
    • 11