Renewing a certificate

A Thawte certificate is only valid for one year, meaning you'll need to renew the certificate. Here's a step-by-step on how to do that.

Richard Dallaway, Spiral Arm Ltd.

May 2006

Knowing you need to renew

You'll probably get an email from Thawte warning you that your certificate is to expire some months in advance. If you also use the Ant task I mentioned in the original article, you'll know you'll need to renew because runing the task will produce output like this:

richard@hotdog:sloppy $ ant -f etc/build.xml sign
Buildfile: etc/build.xml

  [signjar] Signing Jar : sloppy.jar
  [signjar] Warning: The signer certificate has expired.

Total time: 3 seconds

How to renew

The first thing to know is that you can't renew the certificate. What you actually do is create a new signing request. Here's how...

1. Login

Login to manage your personal email certificates, via - don't both trying to access this view the "Renew" links on the Thawte site. You'll be asked to login to view this page using your Thawte ID and password.

Under the "expired" message, follow the link to "request another".

2. Select certificate type

A window will appear offering two options. You want to press the "test" button that is under the "Developers of New Security Applications ONLY" heading.

3. Certificate types

The next window to show up will list the certificates that are available for request. Select the "Paste-in CSR Certificate Enrollment" option and press the "test" button.

4. Configure name

On the Configure Certificate Name, I just pressed the "next" button.

5. Email address

Configure the email address by ticking the email address you're presented with, and press "next".

6. Extranet

For me, the next page (Extranet capabilities) only offered a "next" button, so I pressed it. This presented me with some configuration options, but I selected the defaults.

7. Paste in request

Now it's time to paste in the new certificate request. I recommend creating a new alias for your renewal and running the following command:

$ keytool -genkey -keyalg RSA -keystore keystore -alias myalias2
Enter keystore password:  trustno1
What is your first and last name?
Imporant: see below on where this value comes from:
  [Unknown]:  pkYkVLLYF7us 
  at is the name of your organizational unit?
  [Unknown]:  sloppy
What is the name of your organization?
What is the name of your City or Locality?
  [Unknown]:  Brighton
What is the name of your State or Province?
  [Unknown]:  E. Sussex
What is the two-letter country code for this unit?
  [Unknown]:  GB
Is CN=pkYkVLLYF7u, OU=sloppy,, L=Brighton,
    ST=E. Sussex, C=GB correct?
  [no]:  yes

Enter key password for <myalias2>
        (RETURN if same as keystore password):  trustno1

The really important part here is that the first and last name you enter must be the "CommonName" show as item 2 of this Thawte screen (shown right).

Now export your signing request to a text file:

keytool -certreq -keystore keystore -file renew.txt -alias myalias2
The file renew.txt will look something like this...

...and this is the value you paste into the Thawte text box and press next button.

8. Confirm

You will now see a confirmation screen. Press the "finish" button.

9. Finished

Your request will be submitted to Thawte and you will see a confirmation screen. You will receive a confirmation via email that your request has been submitted, and some time later (probably minutes) you'll have confirmation that your request has been processed and your certificate is ready to download.

10. Download

You don't have to wait for the email. You can go to the status page and view the deails for the certificate: when it's down click on the Fetch button to download the client.

You'll get a page full that looks like this:

Copy all text between BEGIN PKCS #7 SIGNED DATA and the END part, including those parts and save to a file, maybe called mycert2.cert.

11. Import your certificate

You'll probably need to "fix" the certificate:

java -jar thawtecleaner.jar mycert2.cert

Then import the certificate:

$ keytool -import -file mycert2.cert.clean -alias myalias2 -trustcacerts -keystore keystore 
Enter keystore password:  trustno1
Certificate reply was installed in keystore

If you get an error, such as java.lang.Exception: Input not an X.509 certificate, you should check the Thawte support documents (here and here). Also make sure you're running the command import command with the right paths to keystore.

12. Sign your applicaiton

We can now re-run out signijng command, but ensure that we've changed the alias. E.g., in your build.xml file:

<target name="sign">
	<signjar keystore="keystore"
		jar="sloppy.jar" alias="myalias" storepass="trustno1"/>

Finally run the signing command:

$ ant -f etc/build.xml sign
Buildfile: etc/build.xml

  [signjar] Signing Jar : sloppy.jar

Total time: 2 seconds

Congratulations! Your application is signed.

renew.html,v 1.3 2006/04/24 11:16:53 richard Exp