  • On the JOC Cockpit server create the keystore using openssl and the keytool from your Java JRE, JDK or other third party utility.
    • For use with a third party utility create a keystore, e.g. https-keystore.p12, in PKCS12 format and import:
      • the JOC Cockpit private key and certificate for Server Authentication
      • the Root CA Certificate
      • Intermediate CA Certificate(s)
    • The examples below describe a possible approach for certificate management, however, there are other ways to achieve similar results.
      • Example for importing an existing private key Private Key and CA-signed certificate Certificate to a keystore:

        
        titleExample how to add a private key and CA-signed certificate to a PKCS12 keystore
        # Assume the fully qualified domain name (FQDN) of the JOC Cockpit server to be ""
        # If the JOC Cockpit CA-signed certificate is provided from a pkcs12 keystore (certificate.p12), extract the JOC Cockpit certificate to a .crt file in PEM format (
        # openssl pkcs12 -in certificate.p12 -nokeys -out
        # Import the JOC Cockpit privatePrivate keyKey ( and JOC Cockpit certificateCertificate ( from PEM format to a new keystore (
        openssl pkcs12 -export -in -inkey -name -out "JETTY_BASE/resources/joc/https-keystore.p12"
        
        titleExample how to add a private key and CA-signed certificate to a PKCS12 keystore
        # If the JOC Cockpit's private key and certificate are provided with a .jks keystore (keypair.jks) then temporarily convert the keystore to pkcs12 (keystore.p12)
        #   for later use with openssl, assuming the alias name of the JOC Cockpit private key being ""
        # keytool -importkeystore -srckeystore keypair.jks -srcstoretype JKS -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias
        # Assuming the JOC Cockpit private key from a pkcs12 keystore (keystore.p12), store the JOC Cockpit private key to a .key file in PEM format (joc-https.key)
        openssl pkcs12 -in keystore.p12 -nocerts -out joc-https.key
        # Concatenate the CA Root certificate and optionally CA Intermediate certificates to a single CA Bundle certificate file (ca-bundle.crt)
        cat RootCACertificate.crt > ca-bundle.crt
        cat CACertificate.crt >> ca-bundle.crt
        # Export the JOC Cockpit private key (joc-https.key), JOC Cockpit certificate (joc-https.crt) and CA Bundle (ca-bundle.crt) in PEM format to a new keystore (https-keystore.p12)
        #   assume the fully qualified domain name (FQDN) of the JOC Cockpit server to be ""
        openssl pkcs12 -export -in joc-https.crt -inkey joc-https.key -chain -CAfile ca-bundle.crt -name -out "JETTY_BASE/resources/joc/https-keystore.p12"
        # If you require use of a .jks keystore type then convert the pkcs12 keystore, assuming the alias name of the JOC Cockpit private key to be ""
        # keytool -importkeystore -srckeystore https-keystore.p12 -srcstoretype PKCS12 -destkeystore https-keystore.jks -deststoretype JKS -srcalias

      • Example for creating a private key Private Key and self-signed certificate Certificate and importing to a keystore

        • Refer to examples available from JS7 - How to create self-signed X.509 SSL TLS Certificates, chapter Creating a SSL/TLS Server CertificateCertificates.

          
          titleExample how to create a private key and self-signed certificate
          # Creating the privatePrivate keyKey and self-signed certificateCertificate for the given validity period
          ./ --days=365
        • Refer to examples available from JS7 - How to add SSL TLS Certificates to Keystore and Truststore.

          
          titleExample how to add a private key and certificate to a PKCS12 keystore
          # Adding the privatePrivate keyKey and certificateCertificate to a keystore
          ./ \
              --keystore=JETTY_BASE/resources/joc/https-keystore.p12 \

          When using additional arguments for creation of a truststore then users can skip the later step 3:

          
          titleExample how to add a private key and certificate to a PKCS12 keystore and the Root CA Certificate to a truststore
          # Adding the private key and certificate to a keystore and Root CA Certificate to a truststore
          ./ \
              --keystore=JETTY_BASE/resources/joc/https-keystore.p12 \
              --truststore=JETTY_BASE/resources/joc/https-keystore.p12 \ 
              --password="jobscheduler" \
          
          titleExample how to generate a private key and self-signed certificate for import into a PKCS12 keystore
          # Generate the JOC Cockpit's private key with the "" alias name and certificate in a keystore (https-keystore.p12)
          #   use the fully qualified domain name (FQDN) assumed to be "" and name of your organization for the distinguished name
          #   Note that PKCS12 keystores require to use the same key password and store password
          keytool -genkey -alias "" -dname ",O=organization" -validity 1461 -keyalg RSA -keysize 2048 -keypass jobscheduler -keystore "JETTY_BASE/resources/joc/https-keystore.p12" -storepass jobscheduler -storetype PKCS12


  • For JOC Cockpit Server Authentication a truststore technically is not needed. However, the Jetty servlet container requires a truststore to be in place. An empty truststore should not be used, instead create a truststore with the Root CA Certificate.
  • Users who create the truststore with above step 2 can skip this step.
  • On the JOC Cockpit server create the truststore using the keytool from your Java JRE, JDK or some third party utility.
    • For use with a 3rd-party utility create a truststore, e.g. https-truststore.p12, in PKCS12 format and import:
      • Root CA Certificate
    • The below examples suggest a possible approach for certificate management - however, there may be other ways how to achieve similar results.
      • Example for import of a Root CA Certificate to a PKCS12 truststore:

        
        titleExample how to import a Root CA Certificate to a PKCS12 truststore
        # import Root CA certificateCertificate in PEM format to a PKCS12 truststore (https-truststore.p12)
        keytool -importcert -alias "root-ca" -file "root-ca.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.p12" -storetype PKCS12
      • Example for import of a Root CA Certificate to a JKS truststore:

        
        titleExample how to import a Root CA Certificate to a JKS truststore
        # import Root CA Certificate in PEM format to a JKS truststore (https-truststore.jks)
        keytool -importcert -alias "root-ca" -file "root-ca.crt" -keystore "JETTY_BASE/resources/joc/https-truststore.jks" -storetype JKS
