> From: owner-openssl-us...@openssl.org On Behalf Of Mohan Radhakrishnan > Sent: Thursday, 12 May, 2011 00:04
> I think I have been able to replace only the intermediate certificate > which has a different validity period. I believe this can be done > because what the intermediate certificate is signing is still valid. > Only the expiry date is changing and it is being renewed. > And the new intermediate is for the same key(pair) as the old, as surmised upthread? > 1. Root is valid > 2. Sub root or intermediate is replaced > 3. Public key certificate is valid. No new CSR is required. > > I have done this by using keystore commands. > >From your example below, Java jks using keytool? > I exported all the contents of the existing keystore including the > private key as a .pem and then replaced only the new > intermediate. This > was imported back. Now when I run the command > Are you sure? Java keytool can't export a privatekey to any kind of pem -- but it can export the CERT FOR a privatekey = the first or only cert in a privatekey entry to either DER or PEM (slightly confusingly called -rfc). That's enough. If you keytool -importcert from a cert/chain matching a privatekey it becomes (replaces) the cert/chain for that privatekey; if not it becomes a "trustedcert" entry instead. If you export your existing leaf cert, and concatenate it with the new intermediate and import that combination, it will work. (If you also concatenate and thus include the root, JSSE will serve it, but there's no point in doing that, since the client(s) shouldn't trust a root cert they don't already have in truststore or equivalent.) Java keytool CAN convert a jks privatekey (AND chain) to PKCS12 by doing -importkeystore with -deststoretype PKCS12. See below. > Keytool -list -v -keystore <store> > > I can see the chain with the new intermediate in the middle. We are > going to test the SSL part to validate. > > Has anyone does this to the Java keystore with OpenSSL ? > OpenSSL cannot manipulate jks directly. OpenSSL can operate on PKCS12. If you use keytool to convert to PKCS12 (or, less likely, have PKCS12 already) you can use OpenSSL to unpack, modify, and rebuild the PKCS12, which keytool can then convert back to jks. But why bother? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
