Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Having now obtained the private key file either from openssl or keytool, the site should then combine the private key with the chained cert into a PKCS12 package (.pfx or .p12 suffix) that will set the stage to import the bundle into the final keystore.  The most important concept about using a third-party certificate is that we must construct a chain of trust that SHRINE can trace from the endpoint certificate all the way back to the root CA.  Without this trust verification, SHRINE will be unable to use the certificates as intended.  In light of this, in the following command (again, assuming that the private key file is called private_key.pem), the certificates_file contains the new certificate plus all intermediate certificates plus the root certificate, and the ca_certificate contains the intermediate certificates plus the root certificate.  Run this command to bundle the private key, the endpoint certificate, and all intermediate and root certificates into one single entry within the PKCS12 store:

Code Block
languagebash
themerdark
$ openssl pkcs12 -export -in <certificates_file> -inkey private_key.pem -out <pkcs12_file>shrine.keystore.p12.temp -name shrine.example.edu -CAfile <ca_certificate> -chain -password pass:<password>

...