Using an existing key pair
To use an existing key pair, use the manage-certificates
tool that is located in the server’s bin
or bat
directory, depending on your operating system.
About this task
If a private key and certificate already exist in PEM-encoded format, they can replace both the original private key and the self-signed certificate in keystore
, instead of replacing the self-signed certificate associated with the original server-generated private key.
Steps
-
Import the existing certificates using the
manage-certificates import-certificate
.Order the certificates that use the
--certificate-file
option so that each subsequent certificate functions as the issuer for the previous one.List the server certificate first, then any intermediate certificates, and then list the root certificate authority (CA) certificate. Because some deployments do not feature an intermediate issuer, you might need to import only the server certificate and a single issuer.
For example, the following command imports the existing certificates into a new keystore file named
keystore.new
.manage-certificates import-certificate \ --keystore keystore.new \ --keystore-type JKS \ --keystore-password-file keystore.pin \ --alias server-cert \ --private-key-file existing.key \ --certificate-file existing.crt \ --certificate-file intermediate.crt \ --certificate-file root-ca.crt