Page History

...

The next step is to extract the private key that was used to generate the CSR.  If a utility such as openssl was used to generate the CSR, then a file containing the private key should already be present and this step is unnecessary.  If, however, the site used keytool to generate the CSR using a private key from a store called shrine.keystore, then the following commands should be run to extract the private key into a separate file.  Execute the following commands to extract the private key into a file called private_key.pem:

...

Now combine the private key with the chained cert into a PKCS12 package (.pfx or .p12 suffix) that will set the stage to import the bundle into the final keystore.  The most important concept about using a third-party certificate is that we must construct a chain of trust that an application such as SHRINE can trace from the endpoint certificate all the way back to the root CA.  Without this trust tracing, SHRINE will report that it is unable to proceed.  In light of this important idea, in the following command (again, assuming that the private key file is called private_key.pem), the certificates_file contains the new certificate plus all intermediate certificates plus the root certificate, and the ca_certificate contains the intermediate certificates plus the root certificate.  Run this command to bundle the private key, the endpoint certificate, and all intermediate and root certificates into one single entry within the PKCS12 store:

$ openssl pkcs12 -export -in <certificates_file> -inkey private_key.pem -out <pkcs12_file> -name <source_entry_alias> -CAfile <ca_certificate> -chain -password pass:<password>

...