The certificate is about to expire and not able to import the SSL certificate, to be able to allow access to end-users.

ICDx running on Ubuntu.

a) - Renewing a CA-Signed Certificate in a Keystore:

Following are a few important points to keep in mind when you are renewing an expired certificate: Use the same certificate authority that you used when you first got the public certificate. If you use a different certificate authority for certificate renewal, you will have to import the new CA-certificate as well as the intermediate certificates to the keystore and the client’s trust store.

• If the certificate authority’s certificate is not in the keystore, you will get the following error when you try to import the CA-signed certificate to the keystore:

  •  

    keytool error: java.lang.Exception: Failed to establish chain from reply

    To overcome the above error, be sure to first import the CA-signed certificate as well as the intermediate certificates to the keystore in the correct order.

b) - To import a CA certificate into the Java Keystore:

• Run the command keytool -import -trustcacerts -keystore /etc/ssl/certs/java/cacerts -storepass changeit -alias Root -import -file <path and filename.txt>
  • NOTE: replace <path and filename.txt> with the path and filename of the CA certificate you wish to import.

c) - Expired certificate: The application certificate is stored in a keystore with the private. If the public certificate expired, then the following would have to be applied:

- create a new certificate request using the key in the keystore

- send it to sign to the internal CA

- import the new and renewed certificate in the keystore using the same alias as the key. It will replace the existing one

- restart the application

Renewing a CA-Signed Certificate in a Keystore - Administration Guide 4.4.x - WSO2 Documentation

• Step 1: Check the validity period of the certificate
• Step 2: Generate a certificate signing request
• Step 3: Import the new certificate to a keystore