WSO2 API Manager : Renewing Self Signed Certificate with the same private key

WSO2 API Manager is shipped with a default keystore named wso2carbon.jks , which is stored in the <PRODUCT_HOME>/repository/resources/security directory. This keystore comes with private/public key pairs and certificates for authentication and data encryption purposes. However each certificate has a validity period. Once the certificate expires you must renew it in order to keep smooth operations.

If you have used a self signed certificate you can go through the following steps to renew by keeping the same private key.

Let’s extract the privatekeyentry of the keystore. (wso2carbon.jks) with the following command.

keytool -list -keystore wso2carbon.jks | grep PrivateKeyEntry

It gives the alias as wso2carbon in the output as shown in follow.

extract the privatekeyentry

Then let’s list the certificate details related to the above extracted alias.

keytool -list -keystore wso2carbon.jks -alias wso2carbon -v

It lists down the corresponding certificate details as follows. There you can see the validity period of the certificate as well.

Certificate Details

Next extract the private key from the expired certificate with the following commands.

keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.p12 -deststoretype PKCS12 -srcalias wso2carbon
openssl pkcs12 -in wso2carbon.p12 -nodes -nocerts -out oldPrivateKey.pem

This extracts the private key into the current directory with the name oldPrivateKey.pem.

Let’s create the self signed certificate with the extracted private key with following command.

openssl req -x509 -new -nodes -key oldPrivateKey.pem -sha256 -days 1024 -out newCertificate.pem

In this step you can use the following details of expired certificate when creating the new one.

Details of the expired certificate

You can see the steps of creating new certificate in following image.

Creating new self signed certificate

Then we need to import the new certificate to the wso2carbon.jks with the same PrivateKeyEntry alias “wso2carbon”.

keytool -import -keystore wso2carbon.jks -file newCertificate.pem -alias wso2carbon

You can see the new certificate by listing certificate in keystore with alias wso2carbon with following command.

keytool -list -v -keystore wso2carbon.jks -alias wso2carbon

Then we need to update the client-truststore with the public key. For that lets extract the public key with following command.

keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publicKey.pem

As you can see in following image, public key will be saved in a file with the given name.

Extracting public key from keystore

Delete the existing alias in client-truststore with following command.

keytool -delete -alias wso2carbon -keystore client-truststore.jks

Then import the extracted public key with wso2carbon alias to the client-truststore as follows.

keytool -import -alias wso2carbon -file publicKey.pem -keystore client-truststore.jks

Importing public key to client-truststore

That’s it !!! you have renewed SSL certificate stored in the keystore wso2carbon.jks. And we have added the corresponding public key to the client-truststore.jks file with the same private key.