4.2.2.1 Configuring a Keystore

This section provides information on how to configure a keystore with a trusted certificate and private key.

The following instructions assume the following:

• A private key for the certificate in PEM (Privacy Enhanced Mail) format. In the example this private key is named private-key.pem.

• An X.509 trusted certificate configured with an FQDN (Fully Qualified Domain Name). In the example this trusted certificate is named server.crt.

• A file containing the CA certificate chain. Both root and intermediate certificates must be present. In the example this file is named ca.crt.

1. Convert the X.509 certificate and private key to pkcs12 format:

   $ openssl pkcs12 -export -chain -in server.crt -inkey private-key.pem -out server.p12 -name amc-server -CAfile ca.crt Enter Export Password: <export-password> Verifying - Enter Export Password: <export-password>

    

2. Convert the pkcs12 file to a keystore.

   Execute the following command, making sure that the keystore-password,key-password, alias-name match the HTTP configuration settings, see 4.2.2.3 HTTP TLS Properties.

   $ keytool -importkeystore \ -deststorepass <keystore-password> -destkeypass <key-password> \ -destkeystore containter.keys -srckeystore server.p12 \ -srcstoretype PKCS12 -srcstorepass <export-password> -alias <alias-name>

   You can now use the keystore file: container.keys.