keytool commands to replace existing SSL certificate?

Question

I've a linux centos server running glassfish 3.1.2 app server. The default certs coming from GlassFish install for ports 4848 and 8181 are 1024 bits. I need to replace these with 2048 bits versions. Looking for help to create the keytool command line code that does this.

I located the certs here:

# keytool -list -keystore keystore.jks
   Keystore type: JKS
   Keystore provider: SUN
   Your keystore contains 2 entries
   glassfish-instance, Feb 7, 2012, PrivateKeyEntry, 
   Certificate fingerprint (SHA1): 40:...:46
   s1as, Feb 7, 2012, PrivateKeyEntry, 
   Certificate fingerprint (SHA1): 3C:...:FC

Answer 1

Here you go, I always keep this page bookmarked as a reference, The Most Common Java Keytool Keystore Commands.

So you'll need to delete the certificate before you can re-add it. From the above page:

Delete a certificate from a Java Keytool keystore

• keytool -delete -alias mydomain -keystore keystore.jks

Answer 2

There is no "overwrite" option.

There does not seem to be an "overwrite" or "force" command when adding something. So you manually have to delete first.

(You can look into the source and search for "already.exists". There is no overwrite. It just goes straight to thrown an exception. => https://github.com/openjdk/jdk17u/blob/master/src/java.base/share/classes/sun/security/tools/keytool/Main.java)

There is no documented "overwrite" option for either the "-genkey" command or the "-importcert" command. Example below for "-genkey" command.

Generating a new truststore:

$ keytool -keystore keystore.p12 -storepass 123456 -genkey -keyalg RSA -noprompt -dname "CN=test.example.com" -v
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
        for: CN=test.example.com
[Storing keystore.p12]
✓

Overwriting does NOT work:

$ keytool -keystore keystore.p12 -storepass 123456 -genkey -keyalg RSA -noprompt -dname "CN=test.example.com" -v
keytool error: java.lang.Exception: Key pair not generated, alias <mykey> already exists
java.lang.Exception: Key pair not generated, alias <mykey> already exists
        at java.base/sun.security.tools.keytool.Main.doGenKeyPair(Main.java:1930)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1171)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
✗
$ keytool -keystore keystore.p12 -storepass 123456 -list
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Mar 13, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 99:56:B4:19:E8:02:38:39:C4:01:67:08:EB:37:25:B8:15:CB:23:AE:CE:A1:15:44:0D:B4:B4:17:82:0D:D8:89
✓

So you have to manually delete:

$ keytool -keystore keystore.p12 -storepass 123456 -delete -alias mykey -v
[Storing keystore.p12]
✓
$ keytool -keystore keystore.p12 -storepass 123456 -delete -alias mykey -v
keytool error: java.lang.Exception: Alias <mykey> does not exist
java.lang.Exception: Alias <mykey> does not exist
        at java.base/sun.security.tools.keytool.Main.doDeleteEntry(Main.java:1654)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1149)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
✗
$ keytool -keystore keystore.p12 -storepass 123456 -list
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 0 entries
✓

And then it works:

$ keytool -keystore keystore.p12 -storepass 123456 -genkey -keyalg RSA -noprompt -dname "CN=test.example.com" -v
Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 90 days
        for: CN=test.example.com
[Storing keystore.p12]
✓
$ keytool -keystore keystore.p12 -storepass 123456 -list
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Mar 13, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 91:DA:5C:EA:AA:65:83:A2:D4:7B:27:5E:44:09:4E:8B:5F:C2:FD:87:94:03:E7:83:18:CD:10:D9:C9:E0:F8:7E
✓

Answer 3

I differ with the response above. What I have found is if you create the CSR from the existing keystore you can just replace the certificate. All you do is import the new certificate using the same alias as the old one.

keytool -importcert -alias old_cert_alias -file new_cert_file.cer -keystore your_key_store.jks