To use a new PKCS12 keystore, start by generating a Certificate Signing Request (CSR).

• Generate a new PKCS12 keystore. If Subject Alternative Names are not being used,  then simply remove the section of code beginning with “-ext”
  

  keytool -genkeypair -alias s1as -keystore newkeystore.p12 -storepass changeit -keypass changeit -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 365 -ext "SAN=DNS:blue.strongkey.com,DNS:red.strongkey.com,DNS:green.strongkey.com"

• Create a CSR. Replace the DNS entries in the SAN section as appropriate, or remove the section of code beginning with "-ext" if not using SANs. certreq.csr represents the file name of the CSR.
  

  keytool -certreq -alias s1as -keyalg RSA -file certreq.csr -keystore newkeystore.p12 -ext SAN= DNS:blue.strongkey.com,DNS:red.strongkey.com,DNS:green.strongkey.com
  

In order to view the CSR, use the following command. Verify that the SAN extensions are present and correct.

keytool -printcertreq -file certreq.cs

Get the CSR signed by the external CA. Follow the instructions of the CA service provider to obtain the signed certificate.

After receiving the signed certificate chain from the CA service provider, proceed to the "Importing the Certificate (P12)" section.