Create the Keystore

A keystore contains private keys and certificates with their corresponding public keys.

To create a keystore for Red5 Pro’s embedded Tomcat, we expect to have our full certificate chain in PEM format; if you have your certificate, root, and intermediate certificates in some other format or in separate files, you’ll need to convert and consolidate them per your certificate authorities instructions.

The first step is to export our keys and certs into a PKCS12 formatted file:

When prompted for a password, enter one and make note of it since it will be needed throughout this process.

sudo openssl pkcs12 -export \
  -in /etc/letsencrypt/live/ssl.example.com/fullchain.pem \
  -inkey /etc/letsencrypt/live/ssl.example.com/privkey.pem \
  -out /etc/letsencrypt/live/ssl.example.com/fullchain_and_key.p12 \
  -name tomcat

The command has been separated by \ and a carraige return for clarity.

It is important to note that the tomcat alias must be provided as-is.

Now we create the Java Keystore (don’t forget to substitute your password and domain name):

sudo keytool -importkeystore \
  -deststorepass changeit \
  -destkeypass changeit \
  -destkeystore /etc/letsencrypt/live/ssl.example.com/keystore.jks \
  -srckeystore /etc/letsencrypt/live/ssl.example.com/fullchain_and_key.p12 \
  -srcstoretype PKCS12 \
  -srcstorepass changeit \
  -alias tomcat