Keystore explorer update certificate6/15/2023 The extfile.cnf is optional and is used if you want to specify extensions. So, you need to use OpenSSL: x509 -req -days 3650 -in req.csr -signkey private.key -sha256 -extfile extfile.cnf -out result.crt And you can’t remove the certificate and generate a new one. If you try to sign the request with your existing keystore keypair, the current certificate is used as the root of the chain (and you don’t want that). The last two steps seem to be not straightforward with keytool or keystore explorer. ![]() Import the certificate in the store to replace the old (expired) one.Sign the request with the private key (i.e.Make a certificate signing request ( with keytool or through the keystore-explorer UI).Export the private key ( with keytool & openssl or through the keystore-explorer UI, which is much simpler).In order to reuse the private key to have a new, longer certificate, you need to do the following: ![]() Even with my favorite tool, keystore explorer, it’s not immediately possible. This sounds like something that should be easy to do, but it turns it isn’t that easy with keytool. However, you can have a new certificate with the same private key and a longer period. This is useful mostly for testing and internal systems but is still worth mentioning.Įxtending certificates is generally not possible – once they expire, they’re done. And after the certificate in initially generated JKS file expires, you have few options – either generate an entirely new keypair or somehow “extend” the existing certificate. Sometimes, you don’t have a PKI in place but you still need a key and a corresponding certificate to sign stuff (outside of the TLS context).
0 Comments
Leave a Reply. |