PKCS#12 (P12) files define an archive file format for storing cryptographic objects as a
single file. API Connect
supports the P12 file format for uploading a keystore and truststore. The keystore should contain
both a private and public key along with intermediate CA certificates.
Before you begin
One of the following roles is required to add a key to a keystore or truststore:
- Administrator
- Owner
- Topology Administrator
- Custom role with the Settings: Manage permissions
Before you can generate a P12 file, you must have a private key (for example:
key.pem), a
signed certificate by a Certificate Authority (for example
certificate.pem) and one or more
certificates from the CA authority.
Note: If your certificate file contains more than one
certificate, you must manually split the file and create a single file for each entry. Each entry
must be bound by the following markers:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-------
Procedure
-
If you have intermediate certificates from your CA, concatenate them into a single
.pem file to build your
caChain
. Be sure to enter a new line
following each certificate's data.
cat ca1.pem ca2.pem ca3.pem > caChain.pem
cat caChain.pem
-----BEGIN CERTIFICATE-----
MIIEpjCCA46gAwIBAgIQEOd26KZabjd+BQMG1Dwl6jANBgkqhkiG9w0BAQUFADCB
...
lQX7CkTJn6lAJUsyEa8H/gjVQnHp4VOLFR/dKgeVcCRvZF7Tt5AuiyHY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
...
-----END CERTIFICATE-----
-
Create the P12 file including the private key, the signed certificate and the CA file you
created in step 1, if applicable. Omit the -
CAfile
option if you don't have CA
certificates to include.
The following command uses
OpenSSL, an open source implementation of the SSL and TLS protocols.openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 -CAfile caChain.pem -chain
Once the certificate file is created, it can be uploaded to a keystore.
-
In the Cloud Manager, click
Resources.
-
Select TLS.
-
Click Create in the Keystore table.
-
Create a Keystore and upload the certificate file following the instructions at Creating a Keystore.
Note:
- API Connect supports
only the P12 (PKCS12) format file for the present certificate.
- Your P12 file must contain the private key, the public certificate from the Certificate
Authority, and all intermediate certificates used for signing.
- Your P12 file can contain a maximum of 10 intermediate certificates.
-
Click Save.