--- title: Import existing CA-signed certificates description: You can import your existing CA-signed certificate in API Publish service. To import the CA-signed certificate, stop API Publish service if it is already running. Complete the following steps to import the CA-signed certificate: component: pingintelligence version: 5.1 page_id: pingintelligence:pingintelligence_production_deployment:pingintelligence_import_existing_certificates canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/pingintelligence_production_deployment/pingintelligence_import_existing_certificates.html revdate: March 27, 2024 --- # Import existing CA-signed certificates You can import your existing CA-signed certificate in API Publish service. To import the CA-signed certificate, stop API Publish service if it is already running. Complete the following steps to import the CA-signed certificate: 1. Export your CA-signed certificate to PKCS12 store by entering the following command: ``` # openssl pkcs12 -export -in -inkey -out abs.p12 -name ``` For example: ``` # openssl pkcs12 -export -in ping.crt -inkey ping.key -out abs.p12 -name exampleCAcertificate Enter Export Password: Verifying - Enter Export Password: ``` | | | | - | ------------------------------------------------------------------------------------------------------------- | | | If you have intermediate certificate from CA, then append the content to the `.crt`file. | 2. Import the certificate and key from the PKCS12 store to Java Keystore by entering the following command. The command requires the destination keystore password. The destination keystore password entered in the command should be same that is configured in the `apipublish.properties` file. The following is a snippet of the `apipublish.properties` file where the destination keystore password is stored. The password is obfuscated. ``` # Java Keystore password jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4= ``` Enter the following command: ``` # keytool -importkeystore -destkeystore apipublish.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias -storetype jks ``` **For example:** ``` # keytool -importkeystore -destkeystore apipublish.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias exampleCAcertificate -storetype jks Importing keystore apipublish.p12 to abs.jks... Enter destination keystore password: Re-enter new password: Enter source keystore password: ``` 3. Copy the `apipublish.jks` file created in `step 2` to `/config/ssl` directory. 4. Start API Publish service by entering the following command: ``` # ./bin/start.sh ``` | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | API Publish service is shipped with a default self-signed certificate with Java Keystore at `/config/ssl/apipublish.jks` and the default password is set in the `apipublish.properties` file. The default password is obfuscated in the file. It is recommended to change the default passwords and obfuscate the new passwords. See [Obfuscate passwords](pingintelligence_api_publish_service_obfuscating_passwords.html) for steps to obfuscate passwords. |