Generating a PKCS#12 file for Certificate Authority

PKCS#12 (P12) files define an archive file format for storing cryptographic objects as a single file. API Connect supports the P12 file format for uploading a keystore and truststore. The keystore should contain both a private and public key along with intermediate CA certificates.

Before you begin

One of the following roles is required to add a key to a keystore or truststore:

  • Administrator
  • Owner
  • Topology Administrator
  • Custom role with the Settings: Manage permissions
Before you can generate a P12 file, you must have a private key (for example: key.pem), a signed certificate by a Certificate Authority (for example certificate.pem) and one or more certificates from the CA authority.
Note: If your certificate file contains more than one certificate, you must manually split the file and create a single file for each entry. Each entry must be bound by the following markers: 
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-------

Procedure

  1. If you have intermediate certificates from your CA, concatenate them into a single .pem file to build your caChain. Be sure to enter a new line following each certificate's data. 
    cat ca1.pem ca2.pem ca3.pem > caChain.pem
cat caChain.pem
-----BEGIN CERTIFICATE-----
MIIEpjCCA46gAwIBAgIQEOd26KZabjd+BQMG1Dwl6jANBgkqhkiG9w0BAQUFADCB
...
lQX7CkTJn6lAJUsyEa8H/gjVQnHp4VOLFR/dKgeVcCRvZF7Tt5AuiyHY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
...
-----END CERTIFICATE-----
  2. Create the P12 file including the private key, the signed certificate and the CA file you created in step 1, if applicable. Omit the -CAfile option if you don't have CA certificates to include.
    The following command uses OpenSSL, an open source implementation of the SSL and TLS protocols.
    openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 -CAfile caChain.pem -chain
    Once the certificate file is created, it can be uploaded to a keystore.
  3. In the Cloud Manager, click Resources Resources.
  4. Select TLS.
  5. Click Create in the Keystore table.
  6. Create a Keystore and upload the certificate file following the instructions at Creating a Keystore.
    Note:
    • API Connect supports only the P12 (PKCS12) format file for the present certificate.
    • Your P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
    • Your P12 file can contain a maximum of 10 intermediate certificates.
  7. Click Save.