After receiving the certificate chain from the external CA:

• Verify that the externally signed certificate is correct before importing it into the keystore. The Subject Key Identifier extension should match the Subject Key Identifier extension of the original certificate that is to be replaced. The SubjectDN and any Subject Alternative Names should match what is expected.
  

  openssl x509 -text -in signedcertificate.pem

In addition,the private key of the s1as certificate will need to be obtained from the keystore file.

• Extract the private key out of the newly created PKCS12 keystore. The private key taken out of the PKCS12 keystore will be encrypted, which prevents it from being accessed by anyone without the password to it.
  

  openssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem

Once the externally signed certificate and the encrypted private key are obtained from the keystore, use openssl to combine them into a new PKCS12 keystore.

• Create the new PKCS12 keystore. It will ask for the password to the encrypted private key. When prompted, input the export password for this new PKCS12 keystore. Make sure that the export password is the same as the password to the keystore.jks file.

  openssl pkcs12 -export -out signedcertificate.p12 -in signedcertificate.pem  -inkey privatekey.pem -name s1as

• Delete the privatekey.pem file.
  

  rm privatekey.pem

With the new PKCS12 keystore, the old existing keystore in Payara can be replaced. Proceed to the "Replacing the Existing Keystore" section.