What Do You Need?

  • openssl to generate a self-signed certificate and/or to convert a certificate to PKCS12 format. This should be available on most OS.
  • keytool to import certificates into a keystore. The executable can usually be found in the "bin" directory of any Java installation.

1. Create a Self-Signed PKCS12 Certificate

You can skip this section if you already have a certificate.

To create a self-signed certificate, execute the following commands on the command line (note: you will require openssl and keytool):

1.1. Create a private key. You will have to enter a password for this private key:

openssl genrsa -des3 -out myCert.key

1.2. Create a certificate using the private key. You will have to enter the key's password from (1.1).

openssl req -new -x509 -key myCert.key -out myCert.crt

2. Convert a certificate into PKCS12 format

You can skip this section if your certificate is already in PKCS12 format.

2.1. Convert the certificate into PKCS12 format. You will have to enter a new password for the certificate and you will have to enter the key's password from (1.1). The password is the certificate password:

openssl pkcs12 -inkey myCert.key -in myCert.crt -export -out myCert.pkcs12

IMPORTANT: if you are using a self-signed certificate, some clients (especially browsers) need to accept the certificate before they can make calls over SSL to your server. These calls will fail due to security restrictions if the certificate was not accepted by the client first.

3. Import the PKCS12 certificate into your keyStore

keytool -importkeystore -srckeystore myCert.pkcs12 -srcstoretype PKCS12 -destkeystore /path/to/your/keystore

Make sure that PDFreactor has sufficient privileges to access the keyStore on the file system. When using the PDFreactor Web Service, a recommended location for the keyStore is "PDFreactor/jetty/etc/keystore".

The destination keyStore password is a new password (the keyStore password), the source keyStore password is the certificate password from (2.1) or the password from your existing certificate.

If the keyStore already exists, remove or rename it before creating the new keyStore.