products:promonitor:6.8:userguide:administration:adminconfig:createcertificat

Generating a Certificate Manually
Building a Full PKCS12 Certificate Bundle (P12)

Generating a Certificate Manually

This section explains how to manually generate a server certificate using Keytool and OpenSSL:

Private key generation
CSR creation
CA signing
Chain assembly (root + intermediate)
Keystore import
Full PKCS12 generation

Generate the private key and initial keystore

We will use Keytool to generate a new keypair, make sure to define the correct SAN (hostname and/or IP)

Command:

keytool -genkeypair -keyalg RSA -keysize 4096 \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias server \
  -dname ''CN=your.hostname.example'' \
  -ext SAN=DNS:your.hostname.example,IP:your.server.ip

This creates:

server.jks → keystore containing the private key
alias: server

Generate the CSR (Certificate Signing Request)

Command:

keytool -certreq \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias server \
  -ext SAN=DNS:your.hostname.example,IP:your.server.ip \
  -file server.csr

Send server.csr to your Certificate Authority (CA)

Receive signed certificates from the CA

Your CA will return:

server certificate (server.cer / server.crt)
intermediate CA certificate(s)
root CA certificate

Certificates may be in DER (binary) or PEM (text) format

If DER (binary), convert to PEM with:

openssl x509 -inform DER -in intermediate.cer -out intermediate.crt
openssl x509 -inform DER -in root.cer -out root.crt
openssl x509 -inform DER -in server.cer -out server.crt

Import CA certificates into the keystore (trustedCertEntry)

Command:

keytool -import -trustcacerts \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias ca_root \
  -file root.crt

Then command:

keytool -import -trustcacerts \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias ca_intermediate \
  -file intermediate.crt

IMPORTANT: These certificates are imported as trustedCertEntry, but Redpeaks does NOT reconstruct the chain automatically

Import the CA-signed server certificate on the same alias

This step replaces the temporary Keytool certificate and attaches the chain

keytool -import \
  -keystore server.jks \
  -storepass agentilKeyStore \
  -alias server \
  -file server.crt

Check chain length:

keytool -list -v -keystore server.jks -alias server

You should see:

Entry type: PrivateKeyEntry
Certificate chain length: 2 or 3

If chain length = 1, Redpeaks will send an incomplete chain, browsers will reject it → read the PKCS12 section

Building a Full PKCS12 Certificate Bundle (P12)

This section fixes all chain issues by generating a PKCS12 containing:

private key
server certificate
intermediate certificates
root certificate

Redpeaks will then serve a complete certificate chain

Build the full certificate chain file

Command:

cat intermediate.crt root.crt > chain.pem

Order matters:

intermediate(s) first
root last

Create the PKCS12 bundle (private key + cert + chain)

Command:

openssl pkcs12 -export \
  -inkey server.key \
  -in server.crt \
  -certfile chain.pem \
  -name pro_monitor \
  -out server.p12

Import PKCS12 into Redpeaks keystore

Command:

keytool -importkeystore \
  -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \
  -destkeystore [PRO_MONITOR_HOME]/certificates/.keystore \
  -deststoretype JKS -deststorepass agentilKeyStore

Verify:

keytool -list -v -keystore [PRO_MONITOR_HOME]/certificates/.keystore -alias server

Expected:

Entry type: PrivateKeyEntry
Certificate chain length: 2 or 3 (OK)

Table of Contents

Generating a Certificate Manually

Generate the private key and initial keystore

Generate the CSR (Certificate Signing Request)

Receive signed certificates from the CA

Import CA certificates into the keystore (trustedCertEntry)

Import the CA-signed server certificate on the same alias

Building a Full PKCS12 Certificate Bundle (P12)

Build the full certificate chain file

Create the PKCS12 bundle (private key + cert + chain)

Import PKCS12 into Redpeaks keystore