Updating-Renewing self-signed CA certificate in java truststore

Question

I've built a Java app that exposes web-services to external authorized clients. The Web-services use WS-security with Certificate Authentication. Basically we act as custom Certificate Authority - we maintain a java truststore on our server and sign and add clients' certificate to it. Currently we have manual registration process that requires WS clients to upload their certificate signing request. We sign the CSR, add the certificate to our java truststore using keytool from the command line and return signed certificate along with our CA certificate to client. In turn clients use their private key to sign their soap message payload and embed signed certificate in the message. Server side decrypts the digital signature and verifies that the embedded certificate is signed and one matches our truststore before fulfilling client request.

Though little painful (because of manual labor) this setup is working fine. Now I've realized that our root CA certificate is about to expire soon and hence I'm looking to setup maintenance policy. how should I go about renewing the self-signed root CA certificate? Looks like I will have to create new and replace original. And that will impact all clients having to receive new certificate and import new CA certificate. Is that correct understanding or if there is better way to handle the situation?

If it matters, I have used openssl to generate original key-pair.

openssl req -x509 -newkey rsa:1024 -keyout cakey.pem -out cacert.pem -config openssl.cnf

Answer 1

Keeping the same private key on your root CA allows for all certificates to continue to validate successfully against the new root; all that's required of you is to trust the new root.

More info