Renew Self Signed Certificate in WSO2 products in 1 minute

ChatGPT generated image

Recently when I was setting up a WSO2 server, observed that the server certificates in the wso2carbon.jks are expired. So when I was searching for the web on how to update these certificates fund out this article with all the steps required.

Since there are multiple steps involved with renewing the server certificates in the wso2carbon.jks and updating the same with the client-truststore.jks of the <PRODUCT_HOME>/repository/resources/security directory, I came up with this script where it will,

1. Check Keystore Existence:
   - Verifies if the keystore file (wso2carbon.jks) exists, exits if not found.
2. Extract Alias:
   - Searches for the alias wso2carbon in the keystore and confirms its presence.
3. Retrieve Certificate Details:
   - Extracts certificate details (Owner attributes like CN, OU, O, L, ST, C, and email address) from the existing keystore.
4. Extract Private Key:
   - Converts the keystore to a PKCS12 format (wso2carbon.p12).
   - Extracts the private key into a PEM file (oldPrivateKey.pem) using openssl.
5. Generate New Certificate:
   - Creates a new self-signed certificate (newCertificate.pem) using the extracted private key and the original certificate’s details (Owner attributes).
6. Import New Certificate into Keystore:
   - Replaces the existing certificate in the keystore with the new one while maintaining the same alias (wso2carbon).
7. Verify Updated Keystore:
   - Lists and displays the updated certificate in the keystore to confirm the changes.
8. Extract Public Key:
   - Exports the public key associated with the alias to a file (publicKey.pem).
9. Update Client Truststore:
   - Deletes the old alias from the client truststore (client-truststore.jks), if present.
   - Imports the new public key into the client truststore under the same alias.
10. Completion Message: Outputs a success message indicating the SSL certificate has been successfully updated.

So in order to renew the wso2carbon.jks and the client-truststore.jks, copy them to a seperate folder. And copy the script to the same folder directory. Then provide permissions for the script using chmod +x update_cert.sh

And then you can execute the update_wso2_keystores.sh and it will update the wso2carbon.jks and the client-truststore.jks.

So just by simply executing the script, you have renewed the wso2carbon.jks and added the corresponding public key to the client-truststore.jks.

References

[1] https://shehanir.medium.com/wso2-api-manager-renewing-self-signed-certificate-with-same-private-key-a9f0f72520cd