===== Generating a Certificate Manually =====

This section explains how to manually generate a server certificate using Keytool and OpenSSL:
  * **Private key generation**
  * **CSR creation**
  * **CA signing**
  * **Chain assembly (root + intermediate)**
  * **Keystore import**
  * **Full PKCS12 generation**

==== Generate the private key and initial keystore ====

We will use Keytool to generate a new keypair, make sure to define the correct **SAN** (hostname and/or IP)

Command:<code>
keytool -genkeypair -keyalg RSA -keysize 4096 \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias server \
  -dname ''CN=your.hostname.example'' \
  -ext SAN=DNS:your.hostname.example,IP:your.server.ip
</code>

This creates:
  * **server.jks** → keystore containing the private key
  * alias: **server**

----

==== Generate the CSR (Certificate Signing Request) ====

Command:<code>
keytool -certreq \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias server \
  -ext SAN=DNS:your.hostname.example,IP:your.server.ip \
  -file server.csr
</code>

Send **server.csr** to your Certificate Authority (CA)

==== Receive signed certificates from the CA ====

Your CA will return:
  * **server certificate** (server.cer / server.crt)
  * **intermediate CA certificate(s)**
  * **root CA certificate**

Certificates may be in **DER** (binary) or **PEM** (text) format

If DER (binary), convert to PEM with:
<code>
openssl x509 -inform DER -in intermediate.cer -out intermediate.crt
openssl x509 -inform DER -in root.cer -out root.crt
openssl x509 -inform DER -in server.cer -out server.crt
</code>


==== Import CA certificates into the keystore (trustedCertEntry) ====

Command:
<code>
keytool -import -trustcacerts \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias ca_root \
  -file root.crt
</code>

Then command:
<code>
keytool -import -trustcacerts \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias ca_intermediate \
  -file intermediate.crt
</code>

**IMPORTANT:**  
These certificates are imported as **trustedCertEntry**, but **Redpeaks does NOT reconstruct the chain automatically**

==== Import the CA-signed server certificate on the same alias ====

This step replaces the temporary Keytool certificate and attaches the chain
<code>
keytool -import \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias server \
  -file server.crt
</code>

Check chain length:
<code>
keytool -list -v -keystore server.jks -alias server
</code>

You should see:
  * **Entry type: PrivateKeyEntry**
  * **Certificate chain length: 2 or 3**

If **chain length = 1**, Redpeaks will send an incomplete chain, **browsers will reject it** → read the PKCS12 section


===== Building a Full PKCS12 Certificate Bundle (P12) =====

This section fixes all chain issues by generating a PKCS12 containing:
  * **private key**
  * **server certificate**
  * **intermediate certificates**
  * **root certificate**

Redpeaks will then serve a **complete certificate chain**

==== Build the full certificate chain file ====

Command:
<code>
cat intermediate.crt root.crt > chain.pem
</code>

Order matters:
  * intermediate(s) first  
  * root last

==== Create the PKCS12 bundle (private key + cert + chain) ====

Command:
<code>
openssl pkcs12 -export \
  -inkey server.key \
  -in server.crt \
  -certfile chain.pem \
  -name pro_monitor \
  -out server.p12
</code>


==== Import PKCS12 into Redpeaks keystore ====

Command:
<code>
keytool -importkeystore \
  -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
  -destkeystore [PRO_MONITOR_HOME]/certificates/.keystore \
  -deststoretype JKS -deststorepass agentilKeyStore
</code>

Verify:
<code>
keytool -list -v -keystore [PRO_MONITOR_HOME]/certificates/.keystore -alias server
</code>

Expected:
  * **Entry type: PrivateKeyEntry**
  * **Certificate chain length: 2 or 3**  (OK)