See below an example of the steps to perform all these steps with Keystore Explorer.

When downloading the Keystore Explorer product for Windows, please make sure to select the installer that does not have the embedded Java:

This is due to the version of the embedded Java not being compatible with Automic Automation.

1. Create a new Keystore with Format PKCS #12
2. Click-right – Generate Key Pair – leave by default Algorithm set to RSA – Key size 2048
   
   

3. Leave the rest of parameters by default, increase the validity if you are signing with an Internal CA or public CA , else it will be valid for 1 year.

4. Add as Subject the CN being the hostname of your server as below:
   
5. Click in Add Extensions and then in Use Standard Template and select SSL Server as below:
   
6. Then double-click in Subject Alternative Names to edit it and add ALL the other AE Servers that you would require for your AE Server (1,2,4 depending on your configuration) and add the FQDN (fully qualified domain name) of all the servers and DNS Alias that you may use to access it as below
   
   

7. Then click OK and set as Alias jetty to match what JCP is expecting by default, and assign a password (changeit is the default password JCP is using)
   
   
   
8. Now we are ready to Generate a CSR ( certificate sign request), click right on this alias and click on Generate CSR
   
   

9. Now, depending on the Internal or Public CA Certificate tool, please contact your security team to sign this csr and export the certificate in a supported format including the whole trust chain and immediate CA root certificate necessary. 

10. Import the jetty.crt (or the certificate reply from your CA tool) doing right click on your key pair – Import CA Reply

11. In case there is an Intermediate or Root certificate necessary to validate this certificate, import it as well with right click – Import Trusted Certificate (in my case, it’s the automicCA.crt)
    
12. Now you have all that you need in your keystore so that JCP can start pointing to your correct keystore created with Keystore Explorer, see here what ucsrv.ini would look like in my case with the default password and alias being jetty, once done, start JCP.

[TLS]
KEYSTORE=C:\Automic\certificates\keystore_frktest000607
; keystorePassword: Password of the keystore File
KEYSTOREPASSWORD=--103B02A4E96567743344AEF08C5B12E8E4
; keyPassword: Password for the Keys protection
KEYPASSWORD=--103B02A4E965677433071184DEFEAD58BB
; keyAlias: The name which the key is identified with.
KEYALIAS=jetty

13. Import the CA Root certificate into the cacerts of the Java being used by AWI/TLS Gateway (Import the self signed in case of self-signed certificates).  Place this certificate into the trustedCertFolder as below.  Keystore Explorer – Examine – Examine SSL and put the JCP hostname and port 8443 as below
    
    

After clicking on OK, pick the one above (the CA Root) and click on Import to add it into cacerts

14. Connect AWI with your JCP in SSL.