Java keystore automated renewal challenges


#1

Hello everyone, we have used your certificate creation tools to generate a manual certificat. At first, the cert lifetime is not really advertised on your site and we did not see it until after the tools were installed and the certificate was created. Unfortunately, we will not be able to automate the renewal process, because once the certificate is created, it needs to be imported into a Java keytstore that requires multiple manual password inputs. Plus, the manual creation process requires to have the ports opened before creating the certs and we need to shut down 2 servers at once and restart them (web and socket server). Which makes the whole process impracticable in addition to be very intrusive in production. I hope this info will give you some important insights.


Pros and cons of 90-day certificate lifetimes
#2

does just the key need to be manually imported or the certificate too? if it would be just the key you could just re-use it and you have at least that part solved.


#3

Yes, it is both, the cert and the key… Plus the certificate needs to be exported in pkcs12 format before the keystore import. Here are the commands we use:

openssl pkcs12 -export -in cert.pem -inkey key.pem > tomcat.p12

keytool -importkeystore -srckeystore tomcat.p12 -destkeystore dest.jks -srcstoretype pkcs12

The keytool import/creation command ask to create 2 passwords, one for the key and one for the store, which is the difficult part to automate without a clear text password.


#4

I split this discussion into a new thread. It seems to be an issue separate from the 90 day certificate lifetime discussion. Thanks!


#5

@INF1N1T the thread - Importing LetsEncrypt into Java and Glassfish may well help you.


#6

@INF1N1T, in addition to the thread mentioned by @serverco on keystore inputs, you might want to know about the DNS challenge type. This is an option in some Let’s Encrypt clients to obtain certificates by setting TXT records in your DNS zone, which many DNS providers may allow you to update via an API. In this method, you do not have to shut down and restart any servers, nor open any firewall ports. If you’re able to update DNS records using an API, this option will make it more likely that you can automate your renewals.


#7

@serverco, @schoen, great I’ll look into this ASAP…


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.