2

I would like to know if it is possible to generate a new certificate with the same public key (for a private key) and change the order of the attributes in the Issuer / Subject string?

It is about an old server system that is working with "self signed" certificates. They are stored & used in JKS files (Private Key on server, Public Key shared to all clients). The last update of the keys happened last year. As it turned out one of the consuming client applications can't handle the new certificates, because of the order of the attributes in the Subject/Issuer string.

Like "C=XX, O=MyOrganization, OU=MyOrganizationalUnit, CN=myCommonName" is OK
vs "CN=myCommonName, OU=MyOrganizationalUnit, O=MyOrganization, C=XX" is not OK.

In short time, it is NOT possible to update the consuming client application to make it compatible with the “new” string format. Therefore, the only option would be to have a new JKS with a public key certificate, that is for the current private key, but with different order of the attributes in the Subject/Issuer string.

We cannot simply generate a new pair for the system, as there are a lot of clients already running with the public key (and are able to handle it correct).

Is it somehow possible to create a new trust store JKS with the public key certificate and an updated order of the attributes in the Subject/Issuer string.

The Keytool commands seem to not allow this?

Improve this question
1
  • 1
    Yes, it is possible to create a new certificate that contains the same information as another certificate except the order of the components of the subject is different. As far as I know, keytool can be used in this process. Commented Apr 3, 2024 at 20:05

1 Answer 1

Reset to default
0

When you use keytool to create your .jks file, it will prompt you for each piece of information and then store it all in the standard order that is not working for you. However, you can manually enter the Distinguished-Name Information by giving it as a string when creating the .jks file with the keytool command.

keytool -selfcert -dname "C=XX, O=MyOrganization, OU=MyOrganizationalUnit, CN=myCommonName" -alias existingAlias -keystore /path/to/existingKeystore.jks
Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

But that won't use/share the already existing publickey as required for this Q. Instead use keytool -selfcert -alias existing -dname "in order". Since OP probably wants to keep both certs available, do this on a copied keystore or at least a copied entry/alias. Also be aware keytool both parses -dname AND displays in -list -v (or -printcert) the 'LDAP' order, which is the reverse of the order physically in the cert.
Thanks. I'll update my message. When you say "displays in reverse order", what do you mean? If I do a -dname "C=XX, O=MyOrg" and then do a -list -v, it shows as Issuer: C=XX, O=MyOrg.
I mean it's actually in the cert as (for your new example) organization then country; see an ASN.1 tool like openssl asn1parse or lapo.it/asn1js or use Wireshark to capture and display a TLS 1.2 or below handshake using it. As I indicated, Java reverses it on input and output, so the output matches the input, but is not what other programs may see.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.