Renew an Expired CA Signed Certificate

All digital certificates have a validity period and most clients and servers check the certificate expiry. If the certificate is expired it will no longer be considered as a valid certificate. The client-server communication will fail at the SSL handshake level. It is important to plan certificate renewal ahead of time. Neglecting this can eventually lead to a catastrophic situation such as major service outage.

Checking the validity period of the certificate.

This can be done in a couple of ways.

  1. If you have a public facing hostname. Use and provide the hostname of your server. SSL Hopper will list down all the information about the server certificate.
  2. If you are using a java keystore. View the certificate information with the following keytool command. The command will prompt for the keystore password.
    keytool -list -keystore <keystore_name.jks> -alias <cert_alias> -v

    This will display the certificate information in a human readable text. The validity period will be displayed as follows.

    Valid from: Sun Jun 18 19:26:25 IST 2017 until: Sat Jun 19 19:26:25 IST 2027
  3. If you have the cert file, you can use the below openssl command.
    x509 -in <certname.cer> -text -noout

    The validity period will be displayed as follows.

                Not Before: Jun 18 13:56:25 2017 GMT
                Not After : Jun 19 13:56:25 2027 GMT
  4. If it is a website, you can even view the certificate information from the browser itself. All major browser provides this capability.

If the certificate is already expired or about to expire, the next step should be to generate a Certificate Signing Request (CSR) and get a new certificate generated from the CA.

Generating a certificate signing request.

To generate a CSR, you can use on of the following.

  1. If you have a java keystore, use the following command.
     keytool -certreq -alias <cert_alias> -file <CSR.csr> -keystore <keystore_name.jks>
  2. If you have the private key and the public key, use the following.
    openssl x509 -x509toreq -in <cert_name.crt> -out <CSR.csr> -signkey <private_key.key>

The generated CSR should be submitted to your certificate authority and get a new CA signed certificate. You can try this out this for free with

Importing the new certificate to a keystore.

Once you receive the CA signed certificate and if you are using a jks, import the new certificate to the keystore. When importing the certificate, make sure to import it with the alias you already have as the public certificate. The command is as follows.

keytool -import -v -trustcacerts -alias <current_alias> -file <ca_signed_cert.cer> -keystore <keystore_name.jks>

If you view the certificate using the keytool command, it should display the renewed certificate.

A few points to keep in mind is that. When renewing the certificate, use the same CA as you used when you first got the public certificate. If you use a different CA for certificate renewal, you will have to import the new CA certificate and the intermediate certificates to the keystore and the client’s trust store.

If the CA’s cert is not in the keystore, you will get the following error when trying to import the CA signed cert to the keystore. Therefore make sure to import the CA certificate and the intermediate certificates to the keystore in the correct order first.

keytool error: java.lang.Exception: Failed to establish chain from reply

Hope this helps 🙂