How to add extension to existing TLS certficate?

Question

We have our own root certificate authority which is used to sign the certificates for the agents connected to our server. We have generated the root certificate authority using keytool command as below

Keytool -genkeypair -alias endpoint -keyalg RSA -keysize 2048 -sigalg SHA256WITHRSA -validity 10950 -keypass KeyVontuStop -keystore tempkeystore.jks -storepass StoreVontuStop

Now we want to add the "BC:critical=CA:TRUE,pathlen:0" extension to existing root CA. We can not delete the existing rootCA and regenerate the key pair as we already have signed certificates for the client.

Do we have any option to update the existing keypair to add extension in .jks using keytool?

As far as I remember in `openssl` you first generate the key pair and then generate the certificates. On superuser.com and the internet there should be plenty of posts about using openssl to create a CA. — Robert, Apr 01 '22 at 14:51
We can not use the openssl. We need the solution using Java. — Ravindra12jan, Apr 06 '22 at 09:13
Keytool is also not Java, it is a native program included in the JDK. If you want a real Java solution use Java code, but that would be a question for stackoverflow.com. — Robert, Apr 06 '22 at 11:45

score 2 · Answer 1 · answered Apr 02 '22 at 11:52

Cross-Signing

If you create a new root certificate with the same subject name and the same public key as your existing root certificate, then you can use this certificate to cross-sign your leaf certificates. This will make it possible for you to migrate to the new root certificate, without having to issue new leaf certificates, and without breaking the trust path from these leaf certificates to your existing certificate.

See What could cause classic "ERR_CERT_DATE_INVALID" when I can confirm no error from numerous other clients? for more info.

Java does not allow to generate the new root certificate with the same Public Key. — Ravindra12jan, Apr 04 '22 at 10:27

score 1 · Answer 2 · answered Apr 02 '22 at 10:51

1

Briefly: you cannot.

Certificate of the root CA is self signed. To trust your root CA, clients have installed it on their side. If you modify it, it will differ from what clients trust, and thus will not be trusted by clients any more.

What you can do instead: Issue a new root certificate and ask clients to install it as a trusted certificate. After all have installed, revoke the old certificate.

answered Apr 02 '22 at 10:51

mentallurg

8,536
4
26
41

Issuing the new Root would have been the simplest approach but we can not ask customers to redeploy the trustore on every agent connected to the server. We are trying the solution where we can generate new root certificate with same KeyPair so that the already issued client certificates will be valid. – Ravindra12jan Apr 04 '22 at 10:30
Any root certificate is **self-signed**. To make any **root** certificated trusted, it needs to be installed on the client. For the same public key you can generate a new certificate. But to make it trusted, it needs to be installed on the client side. There is no other way. – mentallurg Apr 04 '22 at 15:37

How to add extension to existing TLS certficate?

2 Answers2