Converting PEM keystores to Build Forge keystores

PEM keystores received from a Certificate Authority can be converted into keystores for use with Build Forge.

Download the unrestricted policy files for your SDK. This prerequisite applies only if your keysize is too large for the restricted policy files. Download the files from https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=jcesdk&lang=en_US&S_PKG=142ww.

Note: You must use the keytool utility provided by IBM.

If you have a set of PEM files from a Certificate Authority, you must use them to create a set of OpenSSL and JSSE keystores for Build Forge.

Include Build Forge tool directories in your PATH.
- <bfinstall>/openssl
- <bfinstall>/ibmjdk/bin for Windows
- <bfinstall>server/ibmjdk/bin for UNIX or Linux
For UNIX and Linux, include the following directory in LD_LIBRARY_PATH:
```
<bfinstall>/openssl
```

Convert the PEM files into a PKCS12 keystore.

Use the following command:

openssl pkcs12 
        -export 
        -name "buildforge" 
        -out buildForgeKeyStore.p12 
        -inkey <key.pem> 
        -passin pass:<pempassword>
        -in <crt.pem>
        -password pass:<bfpassword>

Verify that the certificate has been added and can be read.
```
keytool -v
        -list
        -keystore buildForgeKeyStore.p12
        -storepass <bfpassword>
        -storetype pkcs12
```
If you get an error about an invalid key size, download unrestricted policy files. Use the directions at the beginning of this section.
Export the public certificate.
In a command window, go to <bfinstall>/keystore, and then run this command:
```
keytool -export
        -alias buildforge
        -file cert.der
        -keystore buildForgeKeyStore.p12
        -storepass <bfpassword>
        -storetype pkcs12
```
- The certificate is stored in file cert.der.
- Use the same <bfpassword> that was specified for keystores during installation. Otherwise you need to change the configuration.

Create the truststore and import the public certificate.

In a command window, go to <bfinstall>/keystore, then run this command:

keytool -import
        -noprompt -trustcacerts
        -alias buildforge
        -file cert.der
        -keystore buildForgeTrustStore.p12
        -storepass <bfpassword>
        -storetype pkcs12

Put the public client certificate in buildForgeCert.pem.

In a command window, go to <bfinstall>/keystore, and then run this command:

openssl pkcs12 -clcerts -nokeys
        -in buildForgeKeyStore.p12
        -passin: pass:<bfpassword>
        -out buildForgeCert.pem

Put the certificate and keys in buildForgeKey.pem

In a command window, go to <bfinstall>/keystore, and then run this command:

openssl pkcs12
        -in buildForgeKeyStore.p12
        -passin pass:<bfpassword>
        -passout pass:<bfpassword>
        -out buildForgeKey.pem

Create the PEM Certificate Authority buildForgeCA.pem.
1. Download the CA root certificate to <bfinstall>/keystore.
  It is named CARootCert.crt. It needs to be added to your PEM keystores and can be imported into buildForgeTrustStore.p12.
2. In a command window, go to <bfinstall>/keystore, and then run these commands:
```
cat CARootCert.crt > buildForgeCA.pem
keytool -import -noprompt -v -trustcacerts
        -alias "CA Root" 
        -file CARootCert.crt
        -keystore buildForgeTrustStore.p12
        -storepass <bfpassword>
        -storetype pkcs12
```

Build Forge uses a password-protected PEM keystore, buildForgeKey.pem. The Apache server prompts for the password during startup.

If you do not want to be prompted for a password during startup, then generate a PEM keystore that is not password-protected and have the Apache server use it. The following command is an example.

openssl rsa -in buildForgeKey.pem 
            -passin pass:<password>
            -out buildForgeKeyForApache.pem

Be sure the unprotected PEM keystore is readable by any user who needs access to the ID of the process that runs Build Forge.