Keystore and Truststore configuration

Access Point private and public certificate configuration

In the case of Domibus, as an example of an Access point:

  • Your keystore contains the private certificate of your Access Point while your Truststore only contains the public certificate of the other party's (or other parties) Access point.
  • You must only add the public certificate of the other party's (or parties) Access Point to your Truststore, not your public certificate).

Keystore creation

Now that the Private key has been retrieved, we can either create a .jks or a .p12 keystore file so that it can be used in the configuration of Domibus (keystore section of domibus.properties).
The next 2 sections describe the procedure for both options.

OPTION1: JKS Keystore (preferred option)

The Keystore JKS file is used to contain the National Contact Point's own Private and Public Keys also known as the Key Pair.

  1. start portecle.jar (or any other suitable installed tool)

  1. Click on File then New Keystore

  1. Select JKS then click on OK


  1. Click on the Import Key Pair icon

  1. Locate your exported private key file (.pfx)

  1. Enter a Password then click on OK


  1. Click on OK

  1. Enter an Alias then click on OK

  1. Enter Key Pair Password

  1. Click on OK



  1. Save your Keystore



  1. Set a Password for the Keystore then click on OK

  1. Choose the location and a name for the Keystore then click on OK


Configuration changes in domibus.properties for the .JKS option:
domibus.properties (for version 3.3 and after) has to be updated with the keystore details included the JKS Keystore file, the chosen certificate alias and password, as shown in the example below:
domibus.properties:

OPTION2: PKCS12 Keystore (optional special request by some users)

We need to make sure that the correct Alias is used in the PKCS12 Keystore, then rename it to have a .p12 extension instead of the default .pfx extension.

  1. Start portecle.jar and choose open Keystore file



  1. Select the .pfx private key that was exported earlier


  1. Enter the password



  1. Right click and choose rename


  1. Replace the Alias with a new name


  1. Enter the password for the key-pair


  1. Save the Keystore

  1. Exit

  1. Change the Keystore file extension from .pfx to .p12. (e.g.: ren blue_cert.pfx blue_cert.p12)

Configuration changes domibus.properties for the .PKCS12 option:
domibus.properties (for version 3.3 and after) has to be updated with the keystore details included the PKCS12 keystore file, the chosen certificate alias and password, as shown in the example below:
domibus.properties:

Truststore creation


Now that the public key has been retrieved, we can include it in a newly created (or existing) .jks keystore file called truststore file (public keys), which will be used in the configuration of Domibus (truststore section of domibus.properties).
These are the steps to follow:

  1. Run Portecle, click on File then New Keystore (or open Keystore File if already exists)




  1. Click on the Import Trusted Certificate menu option.



  1. Select the public key that you exported (.cer extension) then click on Import



  1. Click on OK

  1. Click on OK


  1. Click on Yes


  1. Enter an Alias for the Trusted Certificate. (e.g.: blue_cert)



  1. Click on OK


  1. Save Keystore

  1. Choose a password for the keystore




  1. Choose a name for the Keystore (e.g.:blue_red_truststore.jks)


NOTE: Steps 2 to 13 can be repeated to import other public keys into the Truststore.
Configuration changes in domibus.properties for the JKS/PKCS12 option:
domibus.properties (for version 3.3 and after) has to be updated with the truststore details included the JKS/PKCS12 truststore file and password, as shown in the example below:
domibus.properties (with PKCS12 option):

Contact Information

eDelivery Support Team
By email: EC-EDELIVERY-SUPPORT@ec.europa.eu
Support Service: 8am to 6pm (Normal EC working Days)
  • No labels