Install the newly signed certificate

Replace the existing unsigned certificate by importing the new signed certificate from your CA into the node keystore:

keytool -importcert                       \
        -keystore   node01.jks            \
        -file       node01-signed.crt     \ 
        -alias      node01                  

This name of the signed certificate file that you received from the CA.

The alias must be the same as the alias that you used in Generate a node private key and certificate.

Note

keytool confuses some PEM-encoded certificates with extra text headers as DER-encoded certificates, giving this error: java.security.cert.CertificateParsingException: invalid DER-encoded certificate data. The text information can be deleted from the certificate. The following openssl command will remove the text headers:

openssl x509 -in node01-signed.crt -out node01-signed-noheaders.crt