Generating a PKCS#12 file for Certificate Authority

PKCS#12 (P12) files define an archive file format for storing cryptographic objects as a single file. API Connect supports the P12 file format for uploading a keystore and truststore. The keystore should contain both a private and public key along with intermediate CA certificates.

Before you begin

To complete the tasks described in this topic, you must have access to the TLS Profiles page of the Cloud Manager. For more information on which user roles have access, see Adding users and assigning roles.

Before you can generate a P12 file, you must have a private key (for example: key.pem), a signed certificate by a Certificate Authority (for example certificate.pem) and one or more certificates from the CA authority (known as intermediate CA certificates).
Note: If your certificate file contains more than one certificate, you must manually split the file and create a single file for each entry. Each entry must be bound by the following markers: 
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-------

Procedure

  1. If you have intermediate certificates from your CA, concatenate them into a single pem file to build your caChain. Be sure to enter a new line following each certificate's data. 
    cat ca1.pem ca2.pem ca3.pem > caChain.pem
cat caChain.pem
-----BEGIN CERTIFICATE-----
MIIEpjCCA46gAwIBAgIQEOd26KZabjd+BQMG1Dwl6jANBgkqhkiG9w0BAQUFADCB
...
lQX7CkTJn6lAJUsyEa8H/gjVQnHp4VOLFR/dKgeVcCRvZF7Tt5AuiyHY
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
...
-----END CERTIFICATE-----
  2. Create the P12 file including the private key, the signed certificate and the CA file you created in step 1, if applicable. Omit the -CAfile option if you don't have CA certificates to include.
    The following command uses OpenSSL, an open source implementation of the SSL and TLS protocols.
    openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12 -CAfile caChain.pem -chain
  3. In the Cloud Manager, click TLS Profiles.
  4. In the Present Certificate section, click the Upload Certificate icon Upload Certificate icon.
  5. Click Select File, browse for the certificate file that you want to present for authentication, and click Open.
    Note:
    • API Connect supports only the P12 (PKCS12) format file for the present certificate.
    • Your P12 file must contain the private key, the public certificate from the Certificate Authority, and all intermediate certificates used for signing.
    • Your P12 file can contain a maximum of 10 intermediate certificates.
  6. In the Password text field, enter the password for the certificate file.
    Note: The present certificate must be password protected.
  7. Click Upload.
    The certificate is populated.
  8. To validate the certificate, move the Request and validate the certificate against the supplied CAs in the truststore slider to the On position.
  9. In the Trust Store section, click the Upload Certificate icon Upload Certificate icon.
  10. Click Select File, browse for the certificate file that you want to present for authentication, and click Open.
  11. In the Password text field, enter the password for the certificate file.
  12. Click Upload.
    The certificate is populated.
  13. Expand the Protocols section to display the SSL and TLS versions.
  14. Use the check boxes to indicate the SSL or TLS version.
  15. Click Save.