--- title: Importing existing CA-signed certificates description: Import existing CA-signed certificates. component: pingintelligence version: 5.2 page_id: pingintelligence:installing_pingintelligence_for_apis:pingintelligence_import_existing_certificates canonical_url: https://docs.pingidentity.com/pingintelligence/5.2/installing_pingintelligence_for_apis/pingintelligence_import_existing_certificates.html revdate: April 3, 2024 section_ids: before-you-begin: Before you begin about-this-task: About this task steps: Steps example: Example: example-2: Example: --- # Importing existing CA-signed certificates Import existing CA-signed certificates. ## Before you begin To import the certificate authority (CA)-signed certificate, stop the API Publish Service if it is already running. ## About this task You can import your existing CA-signed certificate in the API Publish Service. Complete the following steps to import the CA-signed certificate. | | | | - | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | The API Publish Service is shipped with a default self-signed certificate with the Java key store at `/config/ssl/apipublish.jks`. The default password is set in the `apipublish.properties` file. The default password is obfuscated in the file. It is recommended to change the default passwords and obfuscate the new passwords. See [Obfuscating passwords](pingintelligence_api_publish_service_obfuscating_passwords.html) for steps to obfuscate passwords. | ## Steps 1. Export your CA-signed certificate to the PKCS12 store by entering the following command: ``` # openssl pkcs12 -export -in -inkey -out abs.p12 -name ``` ### Example: ``` # openssl pkcs12 -export -in ping.crt -inkey ping.key -out abs.p12 -name exampleCAcertificate Enter Export Password: Verifying - Enter Export Password: ``` | | | | - | ------------------------------------------------------------------------------------------------------------------- | | | If you have an intermediate certificate from a CA, then append the content to the `.crt` file. | 2. Import the certificate and key from the PKCS12 store to the Java key store by entering the command below. ``` # keytool -importkeystore -destkeystore apipublish.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias -storetype jks ``` The command requires the destination key store password. The destination key store password entered in the command should be same that is configured in the `apipublish.properties` file. The following is a snippet of the `apipublish.properties` file where the destination key store password is stored. The password is obfuscated. ``` # Java Keystore password jks_password=OBF:AES:Q3vcrnj7VZILTPdJnxkOsyimHRvGDQ==:daYWJ5QgzxZJAnTkuRlFpreM1rsz3FFCulhAUKj7ww4= ``` ### Example: ``` # keytool -importkeystore -destkeystore apipublish.jks -srckeystore abs.p12 -srcstoretype PKCS12 -alias exampleCAcertificate -storetype jks Importing keystore apipublish.p12 to abs.jks... Enter destination keystore password: Re-enter new password: Enter source keystore password: ``` 3. Copy the `apipublish.jks` file created in step 2 to `/config/ssl` directory. 4. Start the API Publish Service by running the following command: ``` # ./bin/start.sh ```