We have our own root certificate authority which later used to sign the certificates for clients. We have generated the root certificate authority using keytool command as below
Keytool -genkeypair -alias endpoint -keyalg RSA -keysize 2048 -sigalg SHA256WITHRSA -validity 10950 -keypass KeyVontuStop -keystore tempkeystore.jks -storepass StoreVontuStop
Now we want to add the "BC:critical=CA:TRUE,pathlen:0" extension to existing root CA. We can not delete the existing rootCA and regenerate the key pair as we already have signed certificates for the client.
Do we have any option to update the existing keypair to add extension in .jks using keytool?
Extensions are part of TBSCertificate and hence part of the signature value.
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.1.3
Hence, if you add/change an extension, you will have to generate the certificate again.