WSO2 API Manager : Renewing Self Signed Certificate with the same private key
WSO2 API Manager is shipped with a default keystore named wso2carbon.jks , which is stored in the <PRODUCT_HOME>/repository/resources/security directory. This keystore comes with private/public key pairs and certificates for authentication and data encryption purposes. However each certificate has a validity period. Once the certificate expires you must renew it in order to keep smooth operations.
If you have used a self signed certificate you can go through the following steps to renew by keeping the same private key.
Let’s extract the privatekeyentry of the keystore. (wso2carbon.jks) with the following command.
keytool -list -keystore wso2carbon.jks | grep PrivateKeyEntryIt gives the alias as wso2carbon in the output as shown in follow.
Then let’s list the certificate details related to the above extracted alias.
keytool -list -keystore wso2carbon.jks -alias wso2carbon -vIt lists down the corresponding certificate details as follows. There you can see the validity period of the certificate as well.
Next extract the private key from the expired certificate with the following commands.
keytool -importkeystore -srckeystore wso2carbon.jks -destkeystore wso2carbon.p12 -deststoretype PKCS12 -srcalias wso2carbonopenssl pkcs12 -in wso2carbon.p12 -nodes -nocerts -out oldPrivateKey.pem
This extracts the private key into the current directory with the name oldPrivateKey.pem.
Let’s create the self signed certificate with the extracted private key with following command.
openssl req -x509 -new -nodes -key oldPrivateKey.pem -sha256 -days 1024 -out newCertificate.pemIn this step you can use the following details of expired certificate when creating the new one.
You can see the steps of creating new certificate in following image.
Then we need to import the new certificate to the wso2carbon.jks with the same PrivateKeyEntry alias “wso2carbon”.
keytool -import -keystore wso2carbon.jks -file newCertificate.pem -alias wso2carbonYou can see the new certificate by listing certificate in keystore with alias wso2carbon with following command.
keytool -list -v -keystore wso2carbon.jks -alias wso2carbonThen we need to update the client-truststore with the public key. For that lets extract the public key with following command.
keytool -export -alias wso2carbon -keystore wso2carbon.jks -file publicKey.pemAs you can see in following image, public key will be saved in a file with the given name.
Delete the existing alias in client-truststore with following command.
keytool -delete -alias wso2carbon -keystore client-truststore.jksThen import the extracted public key with wso2carbon alias to the client-truststore as follows.
keytool -import -alias wso2acarbon -file publicKey.pem -keystore client-truststore.jks
That’s it !!! you have renewed SSL certificate stored in the keystore wso2carbon.jks. And we have added the corresponding public key to the client-truststore.jks file with the same private key.
