SSL updates is part of routine system maintenance. I formulated the instructions in such a way that future individuals can simply adhere to them without extra thoughts.
Part 1: Update the cowpte.jks file.
Step 1: Retrieve the Certificate, Private Key, and Certificate Authority Bundle from the server, and designate them as cert.pem, key.pem, and server.ca, respectively.
| File | Name |
|---|---|
| Certificate | cert.pem |
| Private Key | key.pem |
| Certificate Authority Bundle | server.ca |
Step 2: Convert to PKCS12 format.
openssl pkcs12 -export -in cert.pem -inkey key.pem -out keystore.p12 -name server Step 3: Import into the keystore.
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks -deststoretype JKSStep 4: Convert the keystore into PKCS12 format.
keytool -list -v -keystore keystore.jksThe file named keystore.jks was renamed to cowpte.jks and substituted the old file in SpringBoot.
Part 2: Updating CA in the server trust store
As the Certificate Authority Bundle is also new, it’s necessary to import the Certificate Authority (CA) into the Java trust store on the VPS server.
keytool -import -trustcacerts -file server.ca -alias server -keystore /root/.sdkman/candidates/java/21.0.1-oracle/lib/security/cacertsIt might indicate that the alias already exists; in such a case, we can simply remove the old one.
keytool -delete -alias server -keystore /root/.sdkman/candidates/java/21.0.1-oracle/lib/security/cacertsConclusion
The current SSL certificate, which is provided automatically by the server at no cost, remains valid until 16/04/2024. The last update was performed on 05/12/2023, and this time it expires on 15/02/2024, providing only two months of validity. This short duration necessitates frequent manual updates.
I considered purchasing an SSL certificate with a longer validity period, such as 10 years, to reduce the need for manual updates. However, this option presents several challenges, including uncertainty regarding where to purchase it and how to configure it, whereas the current manual update process is straightforward.
Upon comparing the costs, the free option still proves to be more cost-effective, as frequent updates will lead to increased familiarity over time. Richard can complete the update in 2 hours, costing $80 (2 * $40).
In the future, I plan to develop a Python program to automate the tasks of updating cowpte.jks and CA after obtaining the new three files. However, this experiment will be deferred until next time.
Extra Information
Q: Why add the CA in the Java trust store?
A: The SSL certificate could be issued by a certificate authority that is not recognized or trusted by the client, known as an untrusted Certificate Authority (CA). So it’s necessary to include it in the trust store.
Q: How to verify the accurate version of the Java trust store?
A: SDKMAN manages multiple versions of Java, but it doesn’t install its own copy of Java. Instead, it provides a convenient way to install and switch between various Java versions managed by different vendors like OpenJDK, Oracle JDK, etc.
find ~/.sdkman -name cacerts
# And I get
/root/.sdkman/candidates/java/17.0.1-open/lib/security/cacerts
/root/.sdkman/candidates/java/21.0.1-oracle/lib/security/cacerts