A lot of our users are using Let’s Encrypt to get free certificates to install on their public-facing light-4j instances. i.e., light-router as an external access point or BFF for single page applications. In the let’s encrypt tutorial, we have shown you how to get the certificate and key with certbot. In this tutorial, we are going to walk through the step to convert the full chain certificate and the key to a server.keystore file.
Cert and Key
Once completed the command line of certbot successfully, there would be two files written to your default cert directory.
Self-signed keystore can be easily created with keytool command. But if you have a private key and a CA-signed certificate of it, you can not create a key store with just one keytool command.
Here are the steps to follow.
Create PKCS 12 file using your private key and CA-signed certificate of it. You can use the openssl command for this. Please specify the alias to server as light-4j is looking for this alias name in the server.keystore. If you don’t specify the alias name and there is only one key/certificate in the store, the light-4j is still working but the /server/info endpoint won’t return the fingerprint of the certificate.
openssl pkcs12 -export -in [path to certificate] -inkey [path to private key] -certfile [path to certificate ] -name [alias] -out server.p12
As an example, assume that I have a private key called “privkey.pem” and full chain certificate called “fullchain.pem” in the current folder.