Running a Startup on AWS? Get Funding With AWS JumpStart. Click Here to Learn More

2021 Fillmore Street #1128

}

24/7 solutions

What do you do when your SSL Certificate expired?

I ran into this problem the other day. My SSL Certificate expired for my dev domain. I went to Network Solutions, snagged a new Certificate using my old Certificate Signing Request (CSR), and tried to import it into my keystore. In the past, I’ve always generated my private key and CSR, and then imported a […]

I ran into this problem the other day. My SSL Certificate expired for my dev domain. I went to Network Solutions, snagged a new Certificate using my old Certificate Signing Request (CSR), and tried to import it into my keystore.
In the past, I’ve always generated my private key and CSR, and then imported a new certificate along with the complete chain. Since the old expired certificate was still in the keystore, I thought it made sense to blow away the appropriate alias in the keystore with the following command.

1
%JAVA_HOME%/bin/keytool -delete -alias tomcat_ssl -keystore C:/Users/Joel/.keystore

Big mistake.
What I didn’t realize is when you blow away your alias in the keystore, it not only blows away the certificate, but the private key as well. Oops.
Luckily, I still had my private key. I was hopeful that I could just import this private key into my keystore. Strike 2!
The Java keytool does not allow you to import an existing private key. Crap. I didn’t want to go back to Network Solutions to generate a new certificate. That’s a pain. There has to be a way to get a private key into my keystore.
Luckily, there is. You can’t import a private key directly into your keystore, but you can merge a private-cert pair into an existing keystore if the private-cert pair is in PKCS12 format. How’s that for fun?
To start, you need to use openssl to generate a PKCS12 file from your pem file. The pem file needs to be a combination of first your private key followed by your crt file for the domain.

1
C:/cygwin/home/Joel/dev> cat openssl_dev.crt >> openssl_dev.pem

Next you need to run openssl with the -in parameter to generate the PKCS12 fle.

1
C:/cygwin/home/Joel/dev> openssl pkcs12 -export -in openssl_dev.pem  -out openssl_dev.p12

Now, with the PKCS12 file, you need to do a keystore merge with your existing keystore.

1
%JAVA_HOME%/bin/keytool -importkeystore -srckeystore openssl_dev.p12 -srcstoretype PKCS12 -destkeystore C:/Users/Joel/.keystore

After doing the merge, when you look into your keystore, you will see that this entry has been given an alias of 1.

1
%JAVA_HOME%/bin/keytool -list -v -keystore C:/Users/Joel/.keystore > dump.txt

You will want to change this alias to something usable,

1
%JAVA_HOME%/bin/keytool -changealias -alias 1 -destalias tomcat_ssl

Now, you will also want to import other portions of the certificate chain.

1
%JAVA_HOME%/bin/keytool -import -alias root -keystore C:/Users/Joel/.keystore -trustcacerts -file network_first_add_trust_second_carriage_return.pem

Now, when I start up my tomcat instance referencing my tomcat_ssl alias, I’m back in business!

Joel Garcia
Joel Garcia

Joel Garcia has been building AllCode since 2015. He’s an innovative, hands-on executive with a proven record of designing, developing, and operating Software-as-a-Service (SaaS), mobile, and desktop solutions. Joel has expertise in HealthTech, VoIP, and cloud-based solutions. Joel has experience scaling multiple start-ups for successful exits to IMS Health and Golden Gate Capital, as well as working at mature, industry-leading software companies. He’s held executive engineering positions in San Francisco at TidalWave, LittleCast, Self Health Network, LiveVox acquired by Golden Gate Capital, and Med-Vantage acquired by IMS Health.

Related Articles

Here’s Why You Should Work with an AWS Partner

Here’s Why You Should Work with an AWS Partner

Amazon Web Services is understandably a difficult platform to adapt to and utilize fully upon first getting started. Some organizations can be selected to become certified partners to indirectly extend services to help build on the Amazon Cloud. Finding a certified company to help build out is undoubtedly the best way to significantly simplify, streamline, and reduce the cost of utilizing AWS.

Amazon Web Services – CodeCatalyst

Amazon Web Services – CodeCatalyst

When a development team is building out an application, it helps to have access to the same resources, have the tools for planning and testing, and to have access to the application all in one place. CodeCatalyst comes with a slew of continuous integration/continuous development (CI/CD) tools and can leverage other AWS services and be connected to other AWS projects on an account. As a collaborative tool, it is easy to introduce new members into the project and to log all activity or all tests from a single dashboard. It’s a complete package of all the tools needed to securely work on every step of an application’s lifecycle.

The Definitive Guide to AWS Pricing

The Definitive Guide to AWS Pricing

Perhaps the biggest issue with AWS that its competitors edge out on is the confusing pricing model. It does promise the capacity to help users save significantly on funds that otherwise by avoiding spending on unnecessary resources, but getting to that point isn’t always clear. We will be covering in greater detail how this works.

Download our 10-Step Cloud Migration ChecklistYou'll get direct access to our full-length guide on Google Docs. From here, you will be able to make a copy, download the content, and share it with your team.