These steps describe how to import an existing public and private key into the Controller keystore. We'll step through this scenario assuming that the existing public and private keys need to be converted to a format compatible with Java Keystore, say from DER format to PKCS#12. You'll need to use OpenSSL to combine the public and private keys, and then use keytool to import the combined keys into the Controller's keystore.

Most Linux distributions include OpenSSL. If you are using Windows or your Linux distribution does not include OpenSSL, you may find more information on the OpenSSL website.

This assumes that we have the following files:

• private key: private.key
• signed public key: cert.crt
• CA root chain: ca.crt

The private key you use for the following steps must be in plain text format. You must assign the default password (changeit) to the private key when you convert it to PKCS12 keystore format.

1. Use OpenSSL to combine your existing private key and public key into a compatible Java keystore:

   openssl pkcs12 -inkey private .key -in cert.crt -export -out keystore.p12

2. If the Controller is still running, stop it.

3. Change to the keystore directory:

   cd <Controller_home>/appserver/jetty/etc/

4. Create a backup of the keystore file. For example, on Linux, you can run:

   cp keystore.jks keystore.jks.backup

   On Windows, you can use the copy command in a similar manner.

5. Delete the self-signed certificate with alias s1as from the default keystore:

   keytool -delete -alias s1as -keystore keystore.jks

6. Import the PKCS #12 key into the default keystore:

   keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

7. Update the alias name on the key pair you just imported:

   The alias name should be s1as. Do not change it from this name.

   keytool -changealias -alias "1" -destalias "s1as" -keystore keystore.jks

8. Change the password of the imported private key:

   keytool -keypasswd -keystore keystore.jks -alias s1as -keypass <.p12_file_password> -new <password>

   For the new private key password, use the default (changeit) or the master password set as described in Change Keystore Password, if changed.

9. If you get the error "Failed to establish chain from reply", install the issuing Certificate Authority's root and any intermediate certificates into the keystore. The root CA chain establishes the validity of the CA signature on your certificate. Although most common root CA chains are included in the cacerts.jks truststore, you may need to import additional root certificates. To do so:

   keytool -import -alias <Any_alias> -file <path_to_root_or_intermediate_cert> -keystore <Controller_home>/appserver/jetty/etc/cacerts.jks

   When done, try importing the signed certificate again.

10. Start the Controller.