...
To generate keystore you will need one of the toolkits for SSL/TLS protocolsprotocol. You can use any of them, in our examples we will use openssl [1].
Depending on the format of your certificate, different steps will be needed. Format can be identified by file extension. Below we present most common ones.
In every case you will need two files: one containing certificate, and one containing certificate private key.-
CER, PEM (.cer, .pem)
Code Block language text openssl pkcs12 -export -out {path_to_created_keystore_file} -in {certificate_file_path} -inkey {key_file_path} -name {certificate_alias} -noiter -nomaciter
...
Code Block language powershell title Windows example openssl pkcs12 -export -out C:\MyDirectory\keystore.p12 -in C:\MyDirectory\certificate.cer -inkey C:\MyDirectory\certificate.key -name xflicstat -noiter -nomaciterCode Block language bash title Linux example openssl pkcs12 -export -out /home/mydirectory/keystore.p12 -in /home/mydirectory/certificate.cer -inkey /home/mydirectory/certificate.key -name xflicstat -noiter -nomaciterDER (.der)
...
Code Block language text 1. Create intermediate .pem file from .der file: openssl x509 -inform der -in {certificate_file_path} -out {created_pem_file}
...
2.
...
Create keystore from intermediate .pem file
...
openssl pkcs12 -export -out {path_to_created_keystore_file} -in {created_pem_file} -inkey {key_file_path} -name {certificate_alias} -noiter -nomaciter
Code Block language powershell title Windows example openssl x509 -inform der -in C:\MyDirectory\certificate.der -out C:\MyDirectory\intermediate.pem openssl pkcs12 -export -out C:\MyDirectory\keystore.p12 -in C:\MyDirectory\intermediate.pem -inkey C:\MyDirectory\certificate.key -name xflicstat -noiter -nomaciter
Code Block language bash title Linux example openssl x509 -inform der -in /home/mydirectory/certificate.der -out /home/mydirectory/intermediate.pem openssl pkcs12 -export -out /home/mydirectory/keystore.p12 -in /home/mydirectory/intermediate.pem -inkey /home/mydirectory/certificate.key -name xflicstat -noiter -nomaciter
P7B (.p7b)
...
Code Block language text 1. Create intermediate .cer file from .p7b file openssl pkcs7 -print_certs -in {certificate_file_path} -out {
...
intermediate_cer_file}
...
2.
...
Create keystore from intermediate .cer file
...
openssl pkcs12 -export -out {path_to_created_keystore_file} -in {
...
intermediate_cer_file} -inkey {key_file_path} -name {certificate_alias} -noiter -nomaciter
...
Code Block language powershell title Windows example openssl pkcs7 -print_certs -in C:\MyDirectory\certificate.p7b -out C:\MyDirectory\intermediate.cer openssl pkcs12 -export -out C:\MyDirectory\keystore.p12 -in C:\MyDirectory\intermediate.cer -inkey C:\MyDirectory\certificate.key -name xflicstat -noiter -nomaciterCode Block language bash title Linux example openssl pkcs7 -print_certs -in /home/mydirectory/certificate.p7b -out /home/mydirectory/intermediate.cer openssl pkcs12 -export -out /home/mydirectory/keystore.p12 -in /home/mydirectory/intermediate.cer -inkey /home/mydirectory/certificate.key -name xflicstat -noiter -nomaciter
Remarks:
- In every case you will be prompted for password. This password should be put under SSL_KEYSTORE_PASSWORD in xflicstat.cfg
...
- {path_to_created_keystore_file} should be the path that you put under SSL_KEYSTORE key in xflicstat.cfg
...
- {certificate_alias} should be the name that you put under SSL_KEYSTORE_KEY_ALIAS key in xflicstat.cfg
...
- If you are migrating from 5.x settings then {certificate_file_path} is path to previously used certificate, defined as SSL_CERTIFICATE_FILE in old xflicstat.cfg
...
- If you are migrating from 5.x settings then {key_file_path} is path to previously used certificate key, defined as SSL_CERTIFICATE_KEY_FILE in old xflicstat.cfg
- On windows you can sometimes get "openssl unable to write 'random state'" error. It happens because openssl could not access C:\.rnd file. You can either gain acces to it or change value of RANDFILE - it is environment variable that stores path to .rnd file. RANDFILE should contain path to file that you have access to. If you are using powershell it can be changed with:
| Code Block | ||
|---|---|---|
| ||
$env:RANDFILE="C:\directory_i_own\.rnd" |
Adnotations:
[1] On many linux distributions it is available by default. On windows you will probably need to install it. Installer can be compiled from sources (git://git.openssl.org/openssl.git) or downloaded from one of the providers (https://wiki.openssl.org/index.php/Binaries)
openssl unable to write 'random state' windows