A user has an X.509 certificate file (such as a .pfx, .p12, or .cer) containing a full chain and needs to "break it down" into separate files—Root CA, Intermediate CA, and Leaf/Server certificate—to manually upload them or import them into a Java truststore (cacerts).

Workload Automation DE: 12.2 or above

Prerequisites & Assumptions in these examples:

• Keystore Path: /opt/CA/WorkloadAutomationDE/conf/certs/schedulerkeystore.p12
• Keystore Password: changeit (Replace this with your actual keystore password)
• Private Key Alias: tomcat (This is a common default, but you must replace this with the exact alias of the private key currently in your keystore)
• Certificate Files: Assuming they are saved in /tmp/ as root.crt, intermediate.crt, and leaf.crt.

Import the Root Certificate

Import the Root CA first and give it a unique alias (e.g., root-ca).

Follow the same steps as above for Intermediate and then Leaf (server) certificate.  Note: The alias for each certificate must be unique, use any name.

Verify the Keystore

Once all certificates are imported, you can verify the contents of the keystore to ensure the chain is complete and the leaf certificate is properly associated with the private key.