Java keystore certificates migration

By in
Java keystore certificates migration

Who likes to upgrade Jira? Confluence? Bitbucket? I do! But this operation wouldn`t be that satisfying if all of the steps had to be done manually. One of such steps is certificate migration between Java keystores. Today I want to share with you a script that allows you to automate this process.

When switching the application to the newly installed Java, we will have to transfer the certificates that Java trusts from the old keystore to the new one. The script below will do all the work for us, I make use of it for every upgrade. Soon I will also prepare a post with the entire procedure I use when upgrading the application from the Atlassian stack. The script can also be found in my repo.



mkdir tmpc
mkdir tmpc/certs_to_import/
touch tmpc/certs_new tmpc/certs_old tmpc/certs_new_jdk tmpc/certs_old_jdk tmpc/certs_to_export

$KEYTOOL -list -keystore $NEW_PATH > tmpc/certs_new
awk -F"[, ]" '{print $1}' tmpc/certs_new | grep -Ev '(Certificate|Keystore|Your)' | sort > tmpc/certs_new_jdk

$KEYTOOL -list -keystore $OLD_PATH > tmpc/certs_old
awk -F"[, ]" '{print $1}' tmpc/certs_old | grep -Ev '(Certificate|Keystore|Your)' | sort > tmpc/certs_old_jdk

diff --color tmpc/certs_old_jdk tmpc/certs_new_jdk | grep "<" | awk '{print $2}' > tmpc/certs_to_export

#export certs from the old keystore:
while IFS= read -r LINE; do
$KEYTOOL -export -alias "$LINE" -storepass changeit -keystore $OLD_PATH -file tmpc/certs_to_import/"$LINE".crt
done < tmpc/certs_to_export

#import certs to the new keystore:
while IFS= read -r LINE; do
$KEYTOOL -import -alias $LINE -file tmpc/certs_to_import/$LINE.crt -storepass changeit -keystore $NEW_PATH -noprompt
done < tmpc/certs_to_export

rm -rf tmpc

Time for a little explanation. First, we need to specify three variables: the path of the old and new keystore and the path of the keytool. These are standard locations. The script will create a directory and files for us, where it will save the names of all certificates from both keystores. Then it will compare them, export from the old one those which are missing in the new one, and then import them into the new keystore. Then it will just clean up after itself and that’s it 🙂 Have fun. If you have any questions don`t hesitate to contact me:contact [at]

  1. I tested this recently and was able to avoid exporting and importing certs by copying the lib/security/cacerts file from the old JDK to the new JDK. Do you see any problems with that, apart from not having any newer certs in the new JDK?

    1. Hey, thank you for the comment. Yes, the main reason for exporting/importing certificates is to have them all in one place and to have their newest versions. Of course If you have custom certificates added you want to keep them. But you should consider at least two cases:
      – sometimes with Jira upgrade there are some new certificates added to cacerts file. You don`t want to overwrite them,
      – sometimes Java which you are switching to could already be in use by other applications. You need to keep these certs as well.
      So not having the newest certificates is the only problem with overwriting cacerts, but in my opinion it`s enough to make import/export instead of copying entire file.

Leave a reply

Your email address will not be published. Required fields are marked *