These instructions show how to place a CA certificate and a certificate for the node in a single keystore. You can optionally store the CA certificate in a separate truststore. The configuration for this is discussed later in this section.

First obtain the root CA certificate from your certificate authority. This certificate is used to verify that any node certificate has been signed by the CA. Store this certificate in a keystore as a trusted certificate. With the simplest configuration, Shield uses a keystore with a trusted certificate as a truststore.

The following shows how to create a keystore from a PEM encoded certificate. A JKS file is a Java Key Store file. It securely stores certificates.

keytool -importcert                           \
        -keystore /home/es/config/node01.jks  \
        -file     /Users/Download/cacert.pem  

The keytool command will prompt you for a password, which will be used to protect the integrity of the keystore. You will need to remember this password as it will be needed for all further interactions with the keystore.

The keystore needs an update when the CA expires.