How can I replace the expired intermediate CA certificate in a keystore file?

Question

How can I replace a new intermediate CA Certificate in a keystore file?

Hi, I have a keystore file running on a server to support Tomcat TLS/HTTPS services. In this keystore file, there are 3 certificates -

1. end certificate (tomcat)
2. intermediate CA Certificate (my_ssl_ca_v2_b)
3. Root CA Certificate (my_root_ca)

Here is the cert list.

C:\Program Files\Java\jre1.8.0_144\bin>keytool.exe -list  -keystore C:\mycert\
my.keystore
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
tomcat, Oct 10, 2019, PrivateKeyEntry,
Certificate fingerprint (SHA1): 3C:15:E8:D0:46:A8:8D:1F:93:52:9D:54:35:48:69:71:ED:49:44:65
my_ssl_ca_v2_b, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 0C:C3:60:CB:C6:91:0A:90:E4:0G:91:BE:3B:A6:D7:5B:C3:7B:8A:0F
my_root_ca, Oct 10, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 6C:23:89:FA:A8:E5:7D:E1:45:BE:75:84:15:E8:D8:41:73:59:FD:19

It was working fine.

Couple of days before, the intermediate CA Certificate in the file was expired. I got the new updated intermediate CA Certificate later.

Now, the question is - how can I replace the expired intermediate CA Certificate in the keystore file with the new one?

I understand I can use keytool -delete and -import option to delete and re-import the intermediate CA my_ssl_ca_v2_b.

However, how can I replace the intermediate CA cert inside the PrivateKeyEntry (Alias tomcat) in the keystore file as following?

**Alias name: tomcat**
Creation date: Oct 10, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
...
...
Certificate[2]:
Owner: CN=My SSL CA v2 - A, O=eBay Inc, C=US
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 6800000004b4491dd58df45b9b000000000004
**Valid from: Wed Oct 14 18:35:33 UTC 2015 until: Wed Oct 14 18:45:33 UTC 2020**
...
...
Certificate[3]:
Owner: CN=My Root CA, O=eBay Inc, C=us
Issuer: CN=My Root CA, O=eBay Inc, C=us
Serial number: 4500888247008e884cd02d71a035810e

I can't use keytool -delete and -import option to delete and re-import the alias tomcat with the End Cert file because that will delete the private key as well and the private key will never be back.

Can you please teach me the exact steps to replace a intermediate CA Certificate in keystore? Thanks a lot!

-Jun

Answer 1

This isn't really a programming or development question, even though you use the result on tomcat, and may get closed.

You need to create a file containing the whole chain -- end-entity, intermediate and root certs, in that order, in PEM. If you don't already have the EE cert in PEM you can extract it with keytool -export[cert] -keystore ksfile -alias tomcat -rfc -file eecert . Obviously you have the new intermedate cert that you just got, and if you don't have the root already (and it didn't change) export that also. You can combine the files with cat abc >d on Unix or COPY a+b+cd on Windows, or use any text editor you like. Then import it to the privatekey entry like keytool -import[cert] -keystore ksfile -alias tomcat -file chainfile .