Renewing a CA-Signed Certificate in a Keystore¶
A digital certificate has a validity period, after which the certificate expires. Once a certificate expires, it is no longer valid, and it can cause the client-server communication to fail at the SSL handshake level. Therefore, it is important to plan certificate renewal ahead of time. Neglecting certificate renewal can eventually lead to a catastrophic situation such as major service outage.
Important
- Use the same certificate authority that you used when you first got the public certificate. If you use a different certificate authority for certificate renewal, you will have to import the new CA-certificate as well as the intermediate certificates to the keystore and the client’s trust store.
- If the certificate authority’s certificate is not in the keystore, you will get the following error when you try to import the CA-signed certificate to the keystore:
To overcome the above error, be sure to first import the CA-signed certificate as well as the intermediate certificates to the keystore in the correct order.
Now let's take a look at each high level step in detail .
Step 1: Check the validity period of the certificate¶
Follow one of the steps below to view the validity period of a certificate:
- If you have a public hostname, go to https://www.sslshopper.com/ssl-checker.html and specify the hostname of your server. SSL hopper lists all the information about the server certificate.
-
If you have a java keystore, execute the following keytool command to view the certificate information:
This prompts for the keystore password. Once you specify the password, you can view the certificate information in a human readable format where the validity period is displayed as follows:
-
If you have the certificate file, execute the following openssl command:
This displays the validity as follows:
-
If it is a website, you can view the certificate information via the browser. All major browsers provide the capability to view certificate information.
Once you view the validity period of a certificate and if it says that the certificate is about to expire or has already expired, the next step you should generate a Certificate Signing Request (CSR) and get a new certificate generated from the CA.
Step 2: Generate a certificate signing request¶
Depending on the type of keystore you have, follow one of the steps below to generate a CSR:
-
If you have a java keystore, execute the following command:
Note
If you want generate a CSR with a subject alternative name (SAN), be sure to use the -ext attribute in the keytool command to specify required SAN.
Following is a sample keytool command that includes a SAN:
-
If you have the private key and public key, execute the following command:
Once you generate the CSR, you need to submit the CSR to your certificate authority to get a new CA-signed certificate. For testing purposes you can go to http://www.getacert.com/signacert.html and submit your CSR to obtain a new CA-signed certificate for free.
After you obtain a new certificate, you have to import the new certificate to a keystore if you are using a java keystore.