Create the Java KeyStore

Import the client key and certificate into a Java KeyStore

The key and certificate obtained after following the steps indicated in the Appendix 3 - Acquirer Services Authentication must be converted to an intermediate PKCS#12 format:

openssl pkcs12 -export -in <CERTIFICATE>.pem -inkey <PRIVATE_KEY>.key -out certificate.p12 -name "certificate"
Enter Export Password:
Verifying - Enter Export Password:

From this newly created file is therefore possible to create a file in JKS format that can be consumed from the Batch Acquirer:

keytool -importkeystore -srckeystore certificate.p12 -srcstoretype pkcs12 -destkeystore certs.jks
Importing keystore certificate.p12 to certs.jks...
Enter destination keystore password:
Re-enter new password:Enter source keystore password:
Entry for alias certificate successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

To ensure compatibility of the generated KeyStore with the execution target JRE make sure that the keytool command has been distributed with the same major version of Java (e.g. keytool distributed with JDK Java 11, JRE execution environment Java 11).

Add the server root CA certificate to the Java KeyStore

In order for the REST client of the application to validate the certificate of the target server (https://api.cstar.pagopa.it/ for production, https://api.uat.cstar.pagopa.it/ for UAT) it's necessary to add to the newly generated KeyStore also the certificate of the CA that signed the server certificate.

It is therefore necessary to add the Let’s Encrypt R3 certificate to the KeyStore using the following commands:

curl --output lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem
keytool -import -trustcacerts -file "lets-encrypt-r3.pem" -alias lets_encrypt_r3 -keystore certs.jks
Enter keystore password:
Certificate was added to keystore

PreviousHow to install and operate the batch service NextCreate the working directories

Last updated 3 years ago