Creating Integration Server Keys and Certificates
Use a standard certificate management tool, such as OpenSSL or Portecle, to generate a private/public key pair for Integration Server. Then, place the public key in a certificate signing request (CSR).
After creating the CSR, send to the CA to sign the CSR. Request the certificate in DER format. If you receive a certificate in PEM format (or any format other than DER), you need to convert it to DER format.
The signing CA's certificate attests to the identity of the CA that signed the digital certificate for the Integration Server. The CA should send this certificate to you when it sends you the digital certificate for the Integration Server.
Once you receive your signed certificate from the CA, you need to import the certificate into a keystore. You will then have an SSL certificate and private key to use with Integration Server.
In general, you will repeat the steps after creation of the key pair about every year or two years, at the time you need to renew the certificate.
If certificates contain certificate extensions that you want Integration Server to validate, set the watt.security.cert.wmChainVerifier.enforceExtensionsChecks server configuration property to true.
Note:
The above process is described in general terms. The procedures may vary somewhat, depending upon the CA that you use.