I have a self-signed cert for my linux email server exim. To enable my Java functions to access this email server via GlassFish, I originally issued:

我的 linux 电子邮件服务器 exim 有一个自签名证书。为了让我的 Java 函数能够通过 GlassFish 访问这个电子邮件服务器，我最初发布了：

# keytool -importcert -v -noprompt -alias mail.mycompany.com -file /path/to/mail.mycompany.com.der -keystore /path/to/config/cacerts.jks -storepass changeit
Certificate was added to keystore

This worked fine, until the certificate expired. I had to create a new self-signed cert, and now Java gives the error PKIX path validation failed … path does not chain with any of the trust anchors.

这工作正常，直到证书过期。我不得不创建一个新的自签名证书，现在 Java 给出了错误PKIX path validation failed … path does not chain with any of the trust anchors.

To attempt to fix this, I derived a new mail.mycompany.com.derfile from the new exim cert (as done originally). But when I issue the above keytool command (as done originally), it gives error Certificate not imported, alias <mail.mycompany.com> already exists.

为了尝试解决这个问题，我mail.mycompany.com.der从新的 exim 证书中派生了一个新文件（如最初所做的那样）。但是当我发出上面的 keytool 命令（如最初所做的那样）时，它给出了错误Certificate not imported, alias <mail.mycompany.com> already exists.

I think the problem is that I can't use that same keytool command. I need to use a different one that doesn't add the cert to the keystore, but updates the cert already there with a newer version. Anyone can point me in the right direction for that command?

我认为问题是我不能使用相同的 keytool 命令。我需要使用不同的证书，它不会将证书添加到密钥库，而是使用较新的版本更新已经存在的证书。任何人都可以为该命令指出正确的方向吗？

As an aside, is there some automated process that I'm missing? That is, cert's expire all the time... does that mean IT admins need to always update the keystore with the new certs manually using code like this? Or, can this be automated somehow?

顺便说一句，是否有一些我遗漏的自动化过程？也就是说，证书一直都在过期……这是否意味着 IT 管理员需要始终使用这样的代码手动使用新证书更新密钥库？或者，这可以以某种方式自动化吗？