Redpeaks V6.8
Trouble shooting
Monitors Guide
Sidebar
products:promonitor:6.8:userguide:administration:adminconfig:createcertificat
Table of Contents
Generating a Certificate Manually
This section explains how to manually generate a server certificate using Keytool and OpenSSL:
- Private key generation
- CSR creation
- CA signing
- Chain assembly (root + intermediate)
- Keystore import
- Full PKCS12 generation
Generate the private key and initial keystore
We will use Keytool to generate a new keypair, make sure to define the correct SAN (hostname and/or IP)
Command:
keytool -genkeypair -keyalg RSA -keysize 4096 \ -keystore server.jks \ -storepass agentilKeyStore \ -alias server \ -dname ''CN=your.hostname.example'' \ -ext SAN=DNS:your.hostname.example,IP:your.server.ip
This creates:
- server.jks → keystore containing the private key
- alias: server
Generate the CSR (Certificate Signing Request)
Command:
keytool -certreq \ -keystore server.jks \ -storepass agentilKeyStore \ -alias server \ -ext SAN=DNS:your.hostname.example,IP:your.server.ip \ -file server.csr
Send server.csr to your Certificate Authority (CA)
Receive signed certificates from the CA
Your CA will return:
- server certificate (server.cer / server.crt)
- intermediate CA certificate(s)
- root CA certificate
Certificates may be in DER (binary) or PEM (text) format
If DER (binary), convert to PEM with:
openssl x509 -inform DER -in intermediate.cer -out intermediate.crt openssl x509 -inform DER -in root.cer -out root.crt openssl x509 -inform DER -in server.cer -out server.crt
Import CA certificates into the keystore (trustedCertEntry)
Command:
keytool -import -trustcacerts \ -keystore server.jks \ -storepass agentilKeyStore \ -alias ca_root \ -file root.crt
Then command:
keytool -import -trustcacerts \ -keystore server.jks \ -storepass agentilKeyStore \ -alias ca_intermediate \ -file intermediate.crt
IMPORTANT: These certificates are imported as trustedCertEntry, but Redpeaks does NOT reconstruct the chain automatically
Import the CA-signed server certificate on the same alias
This step replaces the temporary Keytool certificate and attaches the chain
keytool -import \ -keystore server.jks \ -storepass agentilKeyStore \ -alias server \ -file server.crt
Check chain length:
keytool -list -v -keystore server.jks -alias server
You should see:
- Entry type: PrivateKeyEntry
- Certificate chain length: 2 or 3
If chain length = 1, Redpeaks will send an incomplete chain, browsers will reject it → read the PKCS12 section
Building a Full PKCS12 Certificate Bundle (P12)
This section fixes all chain issues by generating a PKCS12 containing:
- private key
- server certificate
- intermediate certificates
- root certificate
Redpeaks will then serve a complete certificate chain
Build the full certificate chain file
Command:
cat intermediate.crt root.crt > chain.pem
Order matters:
- intermediate(s) first
- root last
Create the PKCS12 bundle (private key + cert + chain)
Command:
openssl pkcs12 -export \ -inkey server.key \ -in server.crt \ -certfile chain.pem \ -name pro_monitor \ -out server.p12
Import PKCS12 into Redpeaks keystore
Command:
keytool -importkeystore \ -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass agentilKeyStore \ -destkeystore [PRO_MONITOR_HOME]/certificates/.keystore \ -deststoretype JKS -deststorepass agentilKeyStore
Verify:
keytool -list -v -keystore [PRO_MONITOR_HOME]/certificates/.keystore -alias server
Expected:
- Entry type: PrivateKeyEntry
- Certificate chain length: 2 or 3 (OK)
/home/clients/8c48b436badcd3a0bdaaba8c59a54bf1/wiki-web/data/pages/products/promonitor/6.8/userguide/administration/adminconfig/createcertificat.txt · Last modified: 2025/11/20 09:56 by jtbeduchaud
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
