This tool generates a PKCS12 key store containing public certificates published by the ITSG Trust Center. The generated key store can for example be used by Diga API Client or secon-tool.
Download the latest generator release from here and download the latest annahme-rsa4096.key file from ITSG Trust Center website (direct link to key).
Use the following command to generate a key store containing all the public certificates. It will prompt you for a password which will be used to secure the key store.
java -jar secon-keystore-generator-<version>.jar -k <insurance-keys-input-filename> -s <key-store-output-filename>
You can also generate a key store containing all public certificates and also embed your private certificate.
For example, this could be used as the only certificate file you need to use the DiGA API Client.
To do this, you also need these files:
- Your private key. This must be a PKCS1
.pem
file which only contains the private key. It should start with-----BEGIN RSA PRIVATE KEY-----
When you created your keys to send to ITSG, you saved this somewhere. - The certificate chain you received from ITSG. When ITSG approves your certificate application they send you some files. There should be a
.p7c
file there which contains your private certificate chain.
java -jar secon-keystore-generator-<version>.jar \\
-k <insurance-keys-input-filename> \\
-s <key-store-output-filename> \\
-p <private-key-filename> \\
-c <private-certificate-chain-filename>
for example
java -jar secon-keystore-generator.jar -k annahme-rsa4096.key -p my.prv.key.pem -c my.chain.p7c
will prompt you for a password, and generate a file called certificates.p12
which contains all public certificates
as well as your private certificate with the alias private
.
In case you have problems loading the private key, it might help to convert your my.prv.key.pem
into PKCS8 format before using this tool:
# Convert key
openssl pkcs8 -topk8 -inform PEM -outform DER -in my.prv.key.pem -out my.prv.key.der -nocrypt
# Use pkcs8 key to create the certificates.p12 file
java -jar secon-keystore-generator.jar -k annahme-rsa4096.key -p my.prv.key.der -c my.chain.p7c
MIT