Generating a PKCS#12 file for a TLS profile

API Manager supports only the PCKS#12 (P12) file format. A P12 file is an archive file that contains all the required cryptographic objects.

About this task

This procedure is for illustrative purposes and uses OpenSSL commands. OpenSSL is an open source implementation of the SSL and TLS protocols.

To generate a P12 file, you must have the following files.
  • A private key
  • A root certificate that was signed by a Certificate Authority (CA)
  • The intermediate certificates from the CA

Although all the steps are presented, you might not need to complete all the steps. Complete only the steps that are necessary based on which cryptographic material you already have for your environment.

Procedure

  1. Generate the private key and certificate signing request (CSR). 
    openssl req -new -newkey rsa:length -nodes -keyout domain.key -out domain.csr
  2. Send the CSR to your certificate authority (CA).
  3. Download the signed certificate, usual a CRT file, and store the signed certificate and CA chain certificate in the same file as the CSR.
  4. Create the PKCS#12 file.
    • With a single authority, use the following command.
      openssl pkcs12 -export -out file_to_generate.p12 -inkey domain.key -in cert_from_CA.crt -certfile CA_chain.crt
    • With multiple authorities, use the following command.
      openssl pkcs12 -export -out file_to_generate.p12 -inkey domain.key -in cert_from_CA.crt -name "cert_alias_name" -chain -CAfile certs.pem
      The certs.pem file contains a list of your certificate authorities from your intermediate authorities to the root authorities.
      --BEGIN CERTIFICATE--
base64_intermediate_certificate
--END CERTIFICATE--
--BEGIN CERTIFICATE--
base64_root_certificate
--END CERTIFICATE--

Results

If you receive no errors, your P12 file is generated and ready to upload. If you receive an error review the documentation for the tool that you used to create the P12 file.

What to do next

Upload your P12 file to API Connect.