Update java keystore alias with new code-signing certificate

Question

I've tried searching for this and all the documentation seems to be from the perspective of creating a new keystore and/or a new alias. However, I have the keystore with the alias I want as a PrivateKeyEntry and the soon-to-expire Globalsign code-signing certificate installed to it.

Now, I want to know the proper procedure for updating the certificate with a new one under the same alias/PrivateKeyEntry?

TIA for your help.

Regards, B.K.

Answer 1

I think I got it!

The answer is:

Make a backup of the keystore file.

~ $ cp -a ~/.keystore.jks ~/baks/20140917.keystore.jks 

Create a new Certificate-Signing Request file from the existing alias.

~ $ keytool -certreq -v -alias myApp2 -file 20140917_myApp2_certreq.csr -keystore ~/.keystore.jks

Go to Globalsign (or whoever your CA is), log into your account, place the order for your Code Signing Certificate Renewal.

Either upload the CSR file you created above, or open the file and copy the contents, including the "-----BEGIN NEW CERTIFICATE REQUEST-----" and "-----END NEW CERTIFICATE REQUEST-----" lines, and paste it into the textbox field for the CSR.

When you get the response email, follow the link to the page for downloading your new certificate and download the new certificate to your system.

Check that the root and intermediate CA certificates are still the same. If they are different/updated, add the new ones to your keystore and/or to your "cacerts" keystore.

~ $ keytool -importcert -v -alias gssha2root_r3 -keystore ./cacerts -file ./dls/GlobalSign/20140916_GlobalsignSHA256root_cert.cer

Install the new code-signing certificate to the same alias.

~ $ keytool -importcert -v -trustcacerts -alias myApp2 -keystore ~/.keystore.jks -file ./dls/Globalsign/OS201400000001.cer

Seems to work as expected. I am now signing my java applets with the new cert. And, the jars are verifying with the new certificate.

HTH.