---
title: Importing existing CA-signed certificates
description: You can import your existing CA-signed certificate in ABS.
component: pingintelligence
version: 5.2
page_id: pingintelligence:installing_pingintelligence_for_apis:pingintelligence_import_ca_signed_certificates
canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/installing_pingintelligence_for_apis/pingintelligence_import_ca_signed_certificates.html
revdate: April 3, 2024
section_ids:
  before-you-begin: Before you begin
  about-this-task: About this task
  steps: Steps
  example: Example:
  example-2: Example:
  next-steps: Next steps
---

# Importing existing CA-signed certificates

You can import your existing CA-signed certificate in ABS.

## Before you begin

To import the CA-signed certificate, you must stop ABS if it is already running.

## About this task

Complete the following steps to import the CA-signed certificate:

## Steps

1. Export your CA-signed certificate to PKCS12 store by entering the following command:

   ```
   # openssl pkcs12 -export -in <your_CA_cerficate.crt> -inkey <your_certificate_key.key> -out abs.p12 -name <alias_name>
   ```

   |   |                                                                                                                   |
   | - | ----------------------------------------------------------------------------------------------------------------- |
   |   | If you have an intermediate certificate from CA, then append the content to the `<your_CA_certificate>.crt` file. |

   ### Example:

   ```
   # openssl pkcs12 -export -in ping.crt -inkey ping.key -out abs.p12 -name exampleCAcertificate
   Enter Export Password:
   Verifying - Enter Export Password:
   ```

2. Import the certificate and key from the PKCS12 store to Java Keystore by entering the following command:

   ```
   # keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias <alias_name> -storetype jks
   ```

   |   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
   | - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   |   | The command requires the destination keystore password. The destination keystore password entered in the command should be the same password that is configured in the `abs.properties` file.The following is a snippet of the `abs.properties` file where the destination keystore password is stored. The password is obfuscated.```
   # Java Keystore password
   jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4=
   ``` |

   ### Example:

   ```
   # keytool -importkeystore -destkeystore abs.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias exampleCAcertificate -storetype jks

   Importing keystore abs.p12 to abs.jks...
   Enter destination keystore password:
   Re-enter new password:
   Enter source keystore password:
   ```

3. Copy the `abs.jks` file created in step 2 to the `/opt/pingidentity/abs/config/ssl` directory.

4. Start ABS by entering the following command:

   ```
   # /opt/pingidentity/abs/bin/start.sh
   Starting API Behavioral Security 4.0...
   please see /opt/pingidentity/abs/logs/abs/abs.log for more details
   ```

## Next steps

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | ABS supports only TLS 1.1 and TLS 1.2 and requires Open JDK 11.0.2. By default, SSL is enabled between ABS and ASE. If you need to disable SSL, contact the Ping Idenity support team.ABS ships with a default self-signed certificate with Java Keystore at `abs/config/ssl/abs.jks` and the default password set to abs123 in the `abs.properties` file. The default password is obfuscated in the `abs.properties` file. It is recommended to change the default passwords and obfuscate the new passwords. See [Obfuscating ABS keys and passwords](pingintelligence_obfuscating_abs_keys_passwords.html) for steps to obfuscate passwords. |