# Prepare the Java KeyStore

## Import the client key and certificate into a Java KeyStore <a href="#import-the-client-key-and-certificate-into-a-java-keystore" id="import-the-client-key-and-certificate-into-a-java-keystore"></a>

The key and certificate must be converted to an intermediate PKCS#12 format:

{% hint style="danger" %}
Take note of the used password.
{% endhint %}

```
openssl pkcs12 -export -in COMPANY_NAME_UAT.pem -inkey COMPANY_NAME_UAT.key -out certificate.p12 -name "certificate"
```

From this new files create a file in JKS format:

```
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore certs.jks
```

Expected output:

```
Importing keystore certificate.p12 to certs.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias certificate successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
```

{% hint style="warning" %}
To ensure compatibility of the generated KeyStore with the target JRE make sure that the keytool command has been distributed with the same major version of Java (e.g. keytool distributed with JDK Java 11, JRE execution environment Java 11).
{% endhint %}

## Add the server root CA certificate to the Java KeyStore <a href="#add-the-server-root-ca-certificate-to-the-java-keystore" id="add-the-server-root-ca-certificate-to-the-java-keystore"></a>

To validate the server certificate (<https://api.cstar.pagopa.it/> for production, <https://api.uat.cstar.pagopa.it/> for UAT) please add the root CA certificate ([Let’s Encrypt R3](https://letsencrypt.org/certs/lets-encrypt-r3.pem)) to the new  KeyStore.

```
wget -O lets-encrypt-r12.pem https://letsencrypt.org/certs/2024/r12.pem
wget -O lets-encrypt-r13.pem https://letsencrypt.org/certs/2024/r13.pem
wget -O lets-encrypt-e7.pem https://letsencrypt.org/certs/2024/e7.pem
wget -O lets-encrypt-e8.pem https://letsencrypt.org/certs/2024/e8.pem
wget -O lets-encrypt-e7-cross.pem https://letsencrypt.org/certs/2024/e7-cross.pem
wget -O lets-encrypt-e8-cross.pem https://letsencrypt.org/certs/2024/e8-cross.pem


keytool -import -trustcacerts -file "lets-encrypt-r12.pem" -alias lets-encrypt-r12 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-r13.pem" -alias lets-encrypt-r13 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e7.pem" -alias lets-encrypt-e7 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e8.pem" -alias lets-encrypt-e8 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e7-cross.pem" -alias lets-encrypt-e7-cross -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e8-cross.pem" -alias lets-encrypt-e8-cross -keystore certs.jks

Enter keystore password:
Certificate was added to keystore
```

## Quick reference

```
openssl pkcs12 -export -in <CERTIFICATE>.pem -inkey <PRIVATE_KEY>.key -out certificate.p12 -name "certificate"
```

```
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore certs.jks
```

```
wget -O lets-encrypt-r12.pem https://letsencrypt.org/certs/2024/r12.pem
wget -O lets-encrypt-r13.pem https://letsencrypt.org/certs/2024/r13.pem
wget -O lets-encrypt-e7.pem https://letsencrypt.org/certs/2024/e7.pem
wget -O lets-encrypt-e8.pem https://letsencrypt.org/certs/2024/e8.pem
wget -O lets-encrypt-e7-cross.pem https://letsencrypt.org/certs/2024/e7-cross.pem
wget -O lets-encrypt-e8-cross.pem https://letsencrypt.org/certs/2024/e8-cross.pem
```

```
keytool -import -trustcacerts -file "lets-encrypt-r12.pem" -alias lets-encrypt-r12 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-r13.pem" -alias lets-encrypt-r13 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e7.pem" -alias lets-encrypt-e7 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e8.pem" -alias lets-encrypt-e8 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e7-cross.pem" -alias lets-encrypt-e7-cross -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e8-cross.pem" -alias lets-encrypt-e8-cross -keystore certs.jks
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.pagopa.it/centrostella-1/centro-stella/instructions-for-agenzia-delle-entrate-mandate/how-to-join/03.-configure-the-batch-service/prepare-the-java-keystore.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.