Generating a PKCS#12 file for Certificate Authority
PKCS#12 (P12) files define an archive file format for storing cryptographic objects as a single file. API Connect supports the P12 file format for uploading a keystore and truststore. The keystore should contain both a private and public key along with intermediate CA certificates.
Before you begin
One of the following roles is required to add a key to a keystore or truststore:
- Topology Administrator
- Custom role with the Settings: Manage permissions
Before you can generate a P12 file, you must have a private key (for example: key.pem), a signed certificate by a Certificate Authority (for example certificate.pem) and one or more certificates from the CA authority.
Note: If your certificate file contains more than one certificate, you must manually split the file and create a single file for each entry. Each entry must be bound by the following markers:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-------
If you have intermediate certificates from your CA, concatenate them into a single
.pem file to build your
caChain. Be sure to enter a new line following each certificate's data.
cat ca1.pem ca2.pem ca3.pem > caChain.pem cat caChain.pem -----BEGIN CERTIFICATE----- MIIEpjCCA46gAwIBAgIQEOd26KZabjd+BQMG1Dwl6jANBgkqhkiG9w0BAQUFADCB ... lQX7CkTJn6lAJUsyEa8H/gjVQnHp4VOLFR/dKgeVcCRvZF7Tt5AuiyHY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv ... -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU ... -----END CERTIFICATE-----
Create the P12 file including the private key, the signed certificate and the CA file you
created in step 1, if applicable. Omit the -
CAfileoption if you don't have CA certificates to include.The following command uses OpenSSL, an open source implementation of the SSL and TLS protocols.
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 -CAfile caChain.pem -chainOnce the certificate file is created, it can be uploaded to a keystore.
- In the Cloud Manager, click Resources.
- Select TLS.
- Click Create in the Keystore table.
Create a Keystore and upload the certificate file following the instructions at Creating a Keystore.
- API Connect supports only the P12 (PKCS12) format file for the present certificate.
- Your P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
- Your P12 file can contain a maximum of 10 intermediate certificates.
- Click Save.