4.3.2 Configuring a Keystore

This section provides information on how to configure a keystore with a Trusted Certificate and private key.

The following instructions assume the following:

  • A private key for the certificate in PEM (Privacy Enhanced Mail) format. In the example this private key is named private-key.pem.
  • An X.509 trusted certificate configured with an FQDN (Fully Qualified Domain Name). In the example this trusted certificate is named server.crt.
  • A file containing the CA certificate chain. Both root and intermediate certificates must be present. In the example this file is named ca.crt.


  1. Convert the X.509 certificate and private key to pkcs12 format:

    $ openssl pkcs12 -export -chain -in server.crt -inkey private-key.pem -out server.p12 -name amc-server -CAfile ca.crt
    Enter Export Password: <export-password>
    Verifying - Enter Export Password: <export-password>


  2. Convert the pkcs12 file to a keystore.

    Execute the following command, making sure that the keystore-password and key-password match the HTTP configuration settings, seeĀ 4.3.1 HTTP Configuration Properties.

    $ keytool -importkeystore \
     -deststorepass <keystore-password> -destkeypass <key-password> \
     -destkeystore containter.keys -srckeystore server.p12 \
     -srcstoretype PKCS12 -srcstorepass <export-password> -alias platform

    Note!

    The default keystore alias for the certificate is platform but can be reconfigured, see 4.3.1 HTTP Configuration Properties. If this has been done, change the alias in the command provided above.

    You can now use the keystore file, container.keys, as described in the section Setting Up with an Existing Keystore File.