Tuesday, 28 January 2014

How to renew SSL (Secure Sockets Layer) certificate on a keystore?

Recently we have to renew the SSL certificate on our company's product website. So we thought of sharing the steps we followed.

Get the CSR (Certificate Signing Request) file
For buying the renewal certificate you have to submit CSR file to the SSL issuer. You can either use the existing CSR file you have used earlier to purchase the SSL initially or you can export it from your keystore.
The command to export is

keytool –keystore clientkeystore –certreq –alias client –keyalg rsa –file client.csr

Buy the SSL certificate from issuer
Buy your SSL from the any of the issuers like verisign , comodo, positivessl etc. You have to paste the contents of the CSR file you generated in the previous steps to buy one. The issuer might email you the certificates or give you an option to download them.

Renewing the primary certificate on to keystore.

The certificate issuer will give you ROOT certificate, intermediate certificate as well as domain specific certificate to you. As this is a renewal you only need the domain specific certificate. Only thing you have to do is to import the domain certificate to your keystore under the same alias name you have user earlier for the domain certificate. The command is

keytool -import -trustcacerts -alias mydomain -file mydomain.crt -keystore keystore.jks

This will ask for your keystore password and will overwrite your existing certificate. Hope this information was helpful to you. Do share your thoughts and questions with us.