After receiving the certificate chain from the external CA, it must be imported into a new PKCS12 keystore. If a certificate chain file was not received and instead the certificates are separate, skip the following command.

In the following command, "chain.pem" represents the certificate chain file from the external CA.

• Import the certificate chain into the PKCS12 keystore
  

  keytool -import -keystore newkeystore.p12 -alias s1as -keypass changeit -storepass changeit -file chain.pem
  

If the CA certificate and the signed certificate are packaged separately, they will have to be imported one at a time into a new PKCS12 keystore. Import the CA certificate first before importing the signed certificate.

If a certificate chain file was received instead of separate certificates, then skip the following two commands.

In the two following commands, cacert.pem represents the CA certificate and signedcert.pem represents the signed certificate from the external CA.

• Import the CA certificate into the keystore first.
  

  keytool -import -keystore newkeystore.p12 -alias cacert -keypass changeit -storepass changeit -file cacert.pem
  

• Import the signed certificate into the keystore.
  

  keytool -import -keystore newkeystore.p12 -alias s1as -keypass changeit -storepass changeit -file signedcert.pem

With the new PKCS12 keystore, the old existing keystore in Payara can be replaced. Proceed to the "Replacing the Existing Keystore" section.