Updating certificates in tomcat

Question

I'm using https with Tomcat 6.x. It currently appears to be working as intended. However, a certificate used in the auth chain is about to expire. I am under the assumption that I need to update my keystore so that my host's certificate will continue to work as it is now. My host machine's cert is not expiring, nor is the root. An intermediate certificate is due to expire, and I'm seeking help with replacing it.

The first time i installed the certificate in my keystore, I had to complete the authentication chain and place all intermediate certificates in the keystore.

In my mind, I think I should be able to remove the intermediate certificate from the keystore and place the new one in, using the same alias. However, I don't know how to recreate the authentication chain and I'm worried I might inadvertently invalidate my host machine's certificate.

All certs are .cer files ( base64 ascii text files ). I've read about other formats, but have only had success with the .cer file type w/ the version of java and tomcat on my server.

How do I do this without destroying my current, valid certificate for my host machine and/or its keystore.

If i'm not phrasing any of this clearly; I don't want to have to submit a new .csr.

Certificates involved:

• RootCert
• Intermediate A <-- this one is expiring
• Intermediate B
• HostCert

Approximation of the output from my keytool's list command:

keytool -v -list -keystore mykeystore.kdb

Keystore type: jks
Keystore provider: SUN
 
Your keystore contains 4 entries 
 
Alias name: HostCert
Entry type: keyEntry
Certificate chain length: 4
Certificate[1]:
/** Omitted for brevity: this is the HostCert**/
Certificate[2]:
/** Omitted for brevity: this is the IntermediateB**/
Certificate[3]:
/** Omitted for brevity: this is the IntermediateA**/
Certificate[4]:
/** Ommitted for Brevity this is RootCert **/
 
*******************************************
*******************************************
  
Alias name: IntermediateB
Entry type: trustedCertEntry
 
/** Ommitted for Brevity **/
 
*******************************************
*******************************************
 
Alias name: IntermediateA
Entry type: trustedCertEntry
 
/** Ommitted for Brevity **/
 
*******************************************
*******************************************
 
Alias name: RootCert
Entry type: trustedCertEntry
/** Ommitted for Brevity **/
 
*******************************************
*******************************************

Answer 1

You can do that by importing the certificate once again by specifying the alias name in your keytool command