How to remove just one certificate from a certificate chain in a Java keystore

Question

I have a Tomcat server with a certificate chain for HTTPS stored in a Java keystore. The chain includes the self-signed root CA certificate. Although this is apparently ok

Answer 1

keytool -delete -alias -keystore lib/security/cacerts -storepass changeit

Answer 2

First, convert the keystore from JKS to PKCS12 (this and other commands will require password entry):

keytool -importkeystore -srckeystore old.jks -destkeystore old.p12 -deststoretype pkcs12

Next, export a PEM file with key and certs from the PKCS12 file:

openssl pkcs12 -in old.p12 -out pemfile.pem -nodes

Now simply use a text editor to edit pemfile.pem and remove the offending certificate (and its preceding "Bag Attributes").

Next, load the edited PEM file into a new PKCS12 file. You'll need to give the cert/key the appropriate keystore alias, e.g. "tomcat", at this point.

openssl pkcs12 -export -in pemfile.pem -name tomcat -out new.p12

Finally, convert back from PKCS12 to JKS:

keytool -importkeystore -srckeystore new.p12 -destkeystore new.jks -srcstoretype pkcs12

The file new.jks is what you want.