NOTE: This article may be outdated.
Below are the steps required to migrate certificates from one Keystore into another:
Locate the new ( Java 7 ) version of the keytool:
Determine the installation directory of the new ( Java 7 ) JRE/JDK: ( i.e. /opt/jdk1.7.0_45/jre )
The Keytool is located in the bin directory ( i.e. [JRE]\bin\keytool )
Identify the location of the source ( Java 6 ) and target ( Java 7 ) keystores:
For JDK, this is typically [JDK_HOME]/jre/lib/security/cacerts
For JRE, this is typically [JRE]/lib/security/cacerts
Note: If you use an alternative keystore (e.g. a keystore shared with a web server, or a keystore specified by the system property javax.net.ssl.truststore) then you may need to modify the instructions below accordingly, possibly specifying keytool -storetype when using the keytool to reference your keystore.
Verify that you have the correct password for both keystores:
Command: keytool -list -keystore /opt/jdk1.7.0_45/jre/lib/security/cacerts
You will be prompted for the password
The default password is "changeit"
Create a backup copy of the default certs file for your target keystore:
For example: Copy /opt/jdk1.7.0_45/jre/lib/security/cacerts to cacerts.bak
This file can copied back in place if necessary
Determine which certs you have added to the default Java 6 cacerts
If you kept track of the certs as you added them over time, and you know which certs you need to migrate, then this step is done. Otherwise you need to compare the certs in your Java 6 keystore, against the certs distributed in the generic Java 6 distribution.
Default Java certs for several distributions are attached to this article as an HTML document.
Alternatively, you may download and install the old version of Java ( Java 6 ) and list the files yourself.
Find your Java distribution here: http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html
Download and install (may require registration with Oracle)
Look at the default certs with keytool -list -keystore [JRE]/lib/security/cacerts
Save the names (i.e. the aliases) of the certs you’ve added into a migration list (say, a spreadsheet)
Check your migration list for expired certs and remove them from your list
keytool -list -v -keystore cacerts -alias <alias>
Look at the “Valid from … until …” line
You may also want to check your certificates to see whether any certificates have been revoked.
Now add the certs ( using the aliases ) one at a time to the new ( Java 7 ) keystore:
keytool -keystore <Java 6 cacerts> -alias <alias> -export -file <cert_for_this_alias>.cert
keytool -keystore <Java 7 cacerts> -alias <alias> -import -file <cert_for_this_alias>.cert
You may need administrative privileges to perform this command
It may prompt you whether to trust it (e.g. if it is a self-signed cert or the cert has expired), presumably you can but you can make that decision here.
If you are importing an intermediate cert and the import fails on establishing a certificate path, you can retry with the -trustcacerts flag.
For security reasons, you must remove the transition .cert files created in the previous step
Verify that entries were copied correctly into the target Java installation.
keytool -list -rfc -keystore [JRE]/lib/security/cacerts -alias <alias>
keytool -list -v -keystore [JRE]/lib/security/cacerts -alias <alias>
Some of your processes may encounter a new error such as:
First document failure: [Server.userException] javax.net.ssl.SSLProtocolException: handshake alert: unrecognized_name;
To resolve this, in the atom.vmoptions, add the line