Introduction / FirstSpirit Server configuration / HTTPS server configuration / Trusted security certificate

Install a trusted security certificate

A security certificate has to be digitally signed by an official certification authority (CA), e.g., to be classified as trusted. There are two ways to create this type of security certificate in FirstSpirit: either via openssl (see or via the keytool provided by Java. Certificates created via openssl are advantageous, since any other web server, e.g. Apache, IIS, Tomcat, etc., can use them. A certificate created via keytool can only be used for Java-based web servers.

Create a security certificate via keytool

A private key is generated first. To achieve this, enter the following command after changing to the FirstSpirit Server installation directory:

keytool –genkey –keystore conf/fs-keystore.jks –storepass=mypass –
alias –keyalg RSA –keysize 2048 –validity 3650

The key length and the validity in days are specified by the “keysize” and the “validity” respectively. If the key password is requested, specify the same as for “–storepass”. If the "first and last name” are requested, enter the fully qualified host name as visible to the client, e.g.

In the next step, a certification request has to be generated:

keytool –certreq –keystore conf/fs-keystore.jks –storepass 
changeit –alias –file request.csr

The file “request.csr” is subsequently sent to the certification authority. Import the received response certificate (public.pem) into the keystore:

keytool –import –trustcacerts –keystore conf/fs-keystore.jks –
storepass changeit –alias –file public.pem

If the certification body issued certificates via a hierarchy (certificate chain), all certificates in the hierarchy must either already exist in the certificate store of the Java VM or must be imported into the certificate store, otherwise keytool issues the error message: “Failed to establish chain from reply”. To import the certificates of the hierarchy, the command must be called for each file and, e.g. the file name always given for “-alias”:

keytool –import –trustcacerts –keystore conf/fs-keystore.jks –
storepass changeit –alias chain_CA_1 certificate1 –file

The certification authorities might sometimes send certificates which the keytool cannot understand. These certificates can be converted by OpenSSL, e.g.:

openssl x509 –in public.crt –out public.pem –outform PEM

Generate a security certificate via openssl

Generate the private key first:

openssl genrsa -out private.key 2048

A certification request is then created (request.csr) and subsequently transferred to the certification authority (CA) for signing:

openssl req -new -key private.key -out request.csr

The certification authority subsequently returns the public signed key (“certificate”), usually in PEM format, as a text file (public.pem) which commences with “-----BEGIN CERTIFICATE-----”. The private and the signed public key have to be summarised in a keystore in PKCS12 format for the FirstSpirit web server. This is achieved by changing to the FirstSpirit Server installation directory and entering the following command to create the keystore. Select a password for the keystore. This password is immediately entered into the web server configuration. “changeit” has been selected in the example.

openssl pkcs12 -inkey private.key -in public.pem -export -out 
conf/fs-keystore.p12 -caname root

© 2005 - 2023 Crownpeak Technology GmbH | All rights reserved. | FirstSpirit 2023.12 | Data privacy