keytool commands to replace existing SSL certificate?

Question

I've a linux centos server running glassfish 3.1.2 app server. The default certs coming from GlassFish install for ports 4848 and 8181 are 1024 bits. I need to replace these with 2048 bits versions. Looking for help to create the keytool command line code that does this.

I located the certs here:

# keytool -list -keystore keystore.jks
   Keystore type: JKS
   Keystore provider: SUN
   Your keystore contains 2 entries
   glassfish-instance, Feb 7, 2012, PrivateKeyEntry, 
   Certificate fingerprint (SHA1): 40:...:46
   s1as, Feb 7, 2012, PrivateKeyEntry, 
   Certificate fingerprint (SHA1): 3C:...:FC

score 37 · Accepted Answer · edited Aug 31 '16 at 21:22

37

Here you go, I always keep this page bookmarked as a reference, The Most Common Java Keytool Keystore Commands.

So you'll need to delete the certificate before you can re-add it. From the above page:

Delete a certificate from a Java Keytool keystore

keytool -delete -alias mydomain -keystore keystore.jks

edited Aug 31 '16 at 21:22

slm

9,959
10
49
57

answered Feb 23 '15 at 20:27

5

no replace option — how disappointing. Anyway, thanks for the hint. – Martin Jun 26 '19 at 08:53

score 1 · Answer 2 · answered Sep 15 '21 at 14:42

1

I differ with the response above. What I have found is if you create the CSR from the existing keystore you can just replace the certificate. All you do is import the new certificate using the same alias as the old one.

keytool -importcert -alias old_cert_alias -file new_cert_file.cer -keystore your_key_store.jks

answered Sep 15 '21 at 14:42

Darryl Baker

11
3

If it exists we get an error: `keytool error: java.lang.Exception: Certificate not imported, alias already exists`. Need to do `keytool -delete` first. – Paulo Merson Jan 20 '22 at 19:01

keytool commands to replace existing SSL certificate?

2 Answers2