Search code examples
javakeystorepkcs#12

Change certificate for private key in keystore

Is it possible to change the certificate and certificate chain for existing entry (private key) in keystore. As I understand, firstly I need to delete existing entry and then store same private key with new certificate and chain. This solution is not an option since I don't know the password for that entry in keystore.

Solution so far:

Key generation and initial storage:

KeyPair kp = generateRSAKeyPair();
X509Certificate selfSignedCert = makeSelfSignedCert(kp);
ks.load(...);
ks.setKeyEntry("entry1", kp.getPrivate(), PASSWORD, new X509Certificate[]{selfSignedCert});
ks.store(...);

After CA sends certificate I want:

ks.load(...);
ks.setCertificateEntry("entry1", caSignedCert);
ks.store(...);

The main issue is that I don't have the right certificate at the time when the key is being stored to keystore. There is a delay between the generation of keys and when CA sends signed certificates.

Another option would be to not set certificate at all, and after CA signs CSR, add the final signed certificate to keystore. Something like:

KeyPair kp = generateRSAKeyPair();
ks.load(...);
ks.setKeyEntry("entry1", kp.getPrivate(), PASSWORD);
ks.store(...);
// after some time
ks.load(...);
ks.setCertificateEntry("entry1", caSignedCert);
ks.store(...);

But I couldn't find a way to store private key without an associated certificate in keystore. Storing private key elsewhere else is also not an option.

A potential solution is to store signed certificate from CA until a user provides the password to keystore entry and then deleting existing entry & creating new entry with proper certificates. This solution is not ideal and I would like to avoid going down this road.

Any suggestions are welcome.

Solution

  • The solution is to first store key to keystore with the self-signed certificate. At this time, this key cannot be used because CA did not sent the proper certificate for this key yet. If one would use key at this time for signing, the associated self-signed certificate would be used (which is not desirable).

    After some time CA sends the proper certificate, which must be stored somewhere (database in my case).

    On the first opportunity when the password for key entry is supplied, key is retrieved from keystore and immediately gets stored again with the same password but different alias and proper certificate from CA. Then it is safe to delete original entry with self-signed certificate.

    I hope this helps someone. Any better solutions are welcome.