4

We have lost our original keystore used to generate the CSR during a server failure. We have a backup of the private key (.key file) and the original CSR (.csr file). Is it possible to reconstruct the keystore with those? Since all the instructions for creating the certificate chains require the original keystore.

This is for use with Tomcat 7.0.27.

Thanks

Nico Huysamen
  • 10,217
  • 9
  • 62
  • 88

4 Answers4

3

Yes, that should be possible. But in addition to the private key you will also need the certificate (not csr) that was returned by the CA. The steps can be found here

souser
  • 5,868
  • 5
  • 35
  • 50
3

I had the same problem with "Certificate chain length" coming up as "1", I was just beginning to loose all hope having tried many methods, but managed to solve by installing and using APR:

https://stackoverflow.com/a/22391211/2802916

Now the connector in server.xml looks like this:

<Connector port="443"
    SSLEnabled="true"
    maxThreads="150"
    scheme="https"
    secure="true"
    clientAuth="false"
    SSLCertificateFile="thecertificate.cer"
    SSLCertificateKeyFile="privatekey.key"
    SSLCACertificateFile="intermediate.crt"
    SSLPassword="thePassForPrivateKey"
/>
Community
  • 1
  • 1
fredrik.hjarner
  • 715
  • 8
  • 22
2

If you have only CSR file and lost certificate, signed by CA (Thawte etc.), you may send this CSR another time to CA for signing.

Implying, you have key and certificate, signed by CA, in PEM format.

Convert cert and key into PKCS#12 container:

openssl pkcs12 -export -in newcert.pem -inkey newkey.pem -out server.p12 -name test_server -caname root_ca -chain -CAfile cacert.pem

caname, chain and CAfile are optional args, they add CA chain to container.

Tomcat supports PKCS#12 certificates, but if you want JKS, it may be done from PKCS#12 by keytool (starting from Java 6):

keytool -importkeystore -deststorepass mypass -destkeypass mypass -destkeystore keystore.jks -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass p12pass -srcalias test_server -destalias test_server
alexkasko
  • 4,855
  • 1
  • 26
  • 31
  • 1
    I have tried this approach. But two things. 1, I only have the certificate signed by the CA in x509 format. And 2, I need to add two intermediate certifiates from the CA. I have them bundled in a PKCS7 file, but with the chain flag (which needs to be present) I cannot create it. It complains **"Error unable to get local issuer certificate getting chain."** – Nico Huysamen Apr 11 '12 at 07:36
  • You should prepare all certificates in PEM format. For x509 DER files openssl command and notes about `-chain` is in [this answer](http://stackoverflow.com/a/10095943/314015), for pkcs7 files use `openssl pkcs7 -in file.pem -print_certs -out certs.pem`. – alexkasko Apr 11 '12 at 15:20
-3

Seems the only way we got it working properly was to revoke our existing certificate and renew it with a new CSR.

Nico Huysamen
  • 10,217
  • 9
  • 62
  • 88