1

Is it possible to regenerate a private key in a .JKS keystore using keytool or equivalent?

I've been supplied with a certificate and a JKS keystore, but on importing the cert it looks like the private key that was used to generate the CSR has been deleted.

I can see how to create a new keystore with a new private key, but this won't then match the CSR or certificate.

Andrew M
  • 373
  • 1
  • 3
  • 12

3 Answers3

4

No, that's the whole point of asymmetric cryptography: making it impossible to produce the private key when knowing only the public key (which is contained in the CSR and in the certificate).

If you could re-generate the private key only from the CSR or the certificate, anyone could impersonate the entity to which the certificate has been issued.

If you've lost your private key, you'll simply have to create a new key-pair, submit a new CSR and get a new certificate. Some CAs allow this sort of re-keying for free as part of their contract within the duration of the initial certificate.

EDIT: Just to clarify what a CSR is.

To apply for an X.509 certificate, you must:

  • Generate a public/private key pair. By nature, the public key can be publicly distributed, because it's not sufficient to obtain the private key (at least not in a reasonable time).
  • Submit that public key with your identity information to the Certification Authority. This can be done using:
    • A Certificate Signing Request (CSR, PKCS#10), which contains your public key and the data you would like to be in the certificate (e.g. the Subject DN you want). Although very similar to the data in a certificate, this data should mainly be used by the CA for identifying the request itself, since CAs doing their job properly should check what they put in the certificate, not just turn the CSR into a certificate blindly. The CSR itself is signed using the private key matching the public key in the certificate. It's effectively very similar to a self-signed X.509 certificate (without Issuer information and validity dates), but isn't one.
    • SPKAC or CRMF for in-browser certificate applications.
  • The CA then takes this CSR (or equivalent) and makes the necessary verification outside this process to vet the pieces of information it wants to embed in your certificate, and issues your certificate (by signing it with its own private key). It's effectively vouching for the binding between your public key (extracted from the CSR) and the information it embeds in the certificate (e.g. your name and/or the domain name for which this cert is). It sends you back this certificate.

You then have to use this certificate in conjunction with the private key matching its public key. Some tools do this using separate files, it's also possible to import the cert back against the private key entry in a keystore.

Having the CSR or the cert without the private key is of no use. You can quite easily create a new CSR again, but you'll also need to create a new key pair. The most important part of the CSR is the public key, and to have the matching private key. You can discard the CSR otherwise.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Thanks Bruno - I assume therefore that having still got the original keystore that was used to generate the private key is irrelevant? – Andrew M Aug 23 '12 at 15:55
  • If you have deleted the private key entry in your keystore, it's too late. I'd double check that the private key really is no longer there, though. Generally speaking, keep backups of your keystores/private keys, from the moment you generate your key-pair for a certificate request. – Bruno Aug 23 '12 at 16:09
  • By the way, if you have to use a certificate chain, [make sure you import it all at once](http://stackoverflow.com/a/9300727/372643). – Bruno Aug 23 '12 at 23:19
0

Is it possible to regenerate a private key in a .JKS keystore using keytool or equivalent?

Yes, but regenerate the private key and CSR. The CSR is submitted to the CA where you are provided a new public key.

You can reimport to the keystore anytime using the following command:

keytool.exe" -import -keystore "%JAVA_HOME%\jre\lib\security\cacerts" -file .\certificate.cer

Make sure you also import the certificate to both paths for the newer JDK releases:

C:\Program Files\Java\jdk1.6.0_31

The newer releases also deploy a separate JRE:

C:\Program Files\Java\jre6

Failure to do so may result in the following exceptions in log:

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To regenerate your private key and CSR, you can use the following command:

$ openssl req -new -newkey rsa:2048  -nodes -keyout private.key -out signing request.csr -config openssl.conf
Jason Huntley
  • 3,827
  • 2
  • 20
  • 27
  • 1
    The CSR itself, like the certificate, contains the public key, not the private key. – Bruno Aug 23 '12 at 15:40
  • The CSR is the Certificate Signing Request. You generate it just after generating your public/private key-pair, as the applicant for the certificate. There's no chain involved in the CSR itself, only in the resulting certificate issued by the CA. You don't need a CSR to generate a private key, rather you need the private key to generate the CSR (since it's signed with the private key). – Bruno Aug 23 '12 at 15:48
  • I generated the keys together for our PKI: $ openssl req -new -newkey rsa:2048 -nodes -keyout private.key -out signing request.csr -config openssl.conf. There was no exchanging between the two. The CSR is provided to the CA where they provide the intermediate and root certificates. – Jason Huntley Aug 23 '12 at 15:55
  • 1
    That's because `req -newkey` performs 2 operations at once: key-pair generation and subsequent CSR generation. Having the CSR file only will not help you get the private key file that you've lost. You certainly won't be able to make any use of the cert derived from the initial CSR. – Bruno Aug 23 '12 at 16:07
  • Yes, I realize that while looking back on my notes. Bruno is right, you won't get a new private key from the CSR. You will have to regenerate a new PK and CSR. Then, you should be able to resubmit the new CSR to the CA. – Jason Huntley Aug 23 '12 at 16:11
0

I had the same trouble (my private key was accidentally deleted from keystore) and there was just one way to recover it: replacing the keystore file (*.jks) with a backup. So I recommend to always make backup with all files related to SSL, and if you delete anything by mistake on keystore just replace the file with an older one.

Vinicius
  • 1