Prepare the Java KeyStore

Import the client key and certificate into a Java KeyStore

The key and certificate must be converted to an intermediate PKCS#12 format:

Take note of the used password.

openssl pkcs12 -export -in COMPANY_NAME_UAT.pem -inkey COMPANY_NAME_UAT.key -out certificate.p12 -name "certificate"

From this new files create a file in JKS format:

keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore certs.jks

Expected output:

Importing keystore certificate.p12 to certs.jks...
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
Entry for alias certificate successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

To ensure compatibility of the generated KeyStore with the target JRE make sure that the keytool command has been distributed with the same major version of Java (e.g. keytool distributed with JDK Java 11, JRE execution environment Java 11).

Add the server root CA certificate to the Java KeyStore

To validate the server certificate (https://api.cstar.pagopa.it/ for production, https://api.uat.cstar.pagopa.it/ for UAT) please add the root CA certificate (Let’s Encrypt R3) to the new KeyStore.

wget -O lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem
wget -O lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem
wget -O lets-encrypt-e5.pem https://letsencrypt.org/certs/2024/e5.pem
wget -O lets-encrypt-e6.pem https://letsencrypt.org/certs/2024/e6.pem
wget -O lets-encrypt-e5-cross.pem https://letsencrypt.org/certs/2024/e5-cross.pem
wget -O lets-encrypt-e6-cross.pem https://letsencrypt.org/certs/2024/e6-cross.pem


keytool -import -trustcacerts -file "lets-encrypt-r10.pem" -alias lets-encrypt-r10 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-r11.pem" -alias lets-encrypt-r11 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e5.pem" -alias lets-encrypt-e5 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e6.pem" -alias lets-encrypt-e6 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e5-cross.pem" -alias lets-encrypt-e5-cross -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e6-cross.pem" -alias lets-encrypt-e6-cross -keystore certs.jks

Enter keystore password:
Certificate was added to keystore

Quick reference

openssl pkcs12 -export -in <CERTIFICATE>.pem -inkey <PRIVATE_KEY>.key -out certificate.p12 -name "certificate"
keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore certs.jks
wget -O lets-encrypt-r10.pem https://letsencrypt.org/certs/2024/r10.pem
wget -O lets-encrypt-r11.pem https://letsencrypt.org/certs/2024/r11.pem
wget -O lets-encrypt-e5.pem https://letsencrypt.org/certs/2024/e5.pem
wget -O lets-encrypt-e6.pem https://letsencrypt.org/certs/2024/e6.pem
wget -O lets-encrypt-e5-cross.pem https://letsencrypt.org/certs/2024/e5-cross.pem
wget -O lets-encrypt-e6-cross.pem https://letsencrypt.org/certs/2024/e6-cross.pem
keytool -import -trustcacerts -file "lets-encrypt-r10.pem" -alias lets-encrypt-r10 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-r11.pem" -alias lets-encrypt-r11 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e5.pem" -alias lets-encrypt-e5 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e6.pem" -alias lets-encrypt-e6 -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e5-cross.pem" -alias lets-encrypt-e5-cross -keystore certs.jks
keytool -import -trustcacerts -file "lets-encrypt-e6-cross.pem" -alias lets-encrypt-e6-cross -keystore certs.jks
Previous03. Configure the Batch ServiceNextInstall the software

Last updated