Salesforce only supports the Java Keystore (JKS) format for importing private/public key pairs (with certificate) into a Salesforce org. Certificates and private/public keypairs are important when using Json Web Tokens (JWT’s) for integration using outbound flows as the JWT needs to be signed using the private key.
If working with Named Credentials for an outbound JWT token flow you need to import a private/public key into Salesforce using “Certificate and Key Management” in Setup. In the latter case you could also use a self-signed certificate generated in Salesforce.
What ever you do you need a valid keystore. Below are the commands I use to generate a private/public keypair with openssl and then use keytool (the Java keystore tool) to import into a Java keystore valid for Salesforce.
# generate private/public keypair openssl req -newkey rsa:2048 -nodes -keyout private_key.pem -x509 -days 365 -out certificate.pem # write certificate in binary file (some sytems need binary format) openssl x509 -outform der -in certificate.pem -out public_key.der # get the public key from the certificate openssl x509 -in certificate.pem -pubkey > public_key.pem # import certificate into Java Key Store (JKS) # !!! Be sure to trust the certificate - otherwise it's not imported keytool -importcert -file certificate.pem -keystore keystore.jks -alias mycertificate -storetype jks # create a PKCS12 keystore with private/public keypair openssl pkcs12 -inkey private_key.pem -in certificate.pem -export -out keystore.p12 -name mykey # import keypair into Java keystore keytool -importkeystore -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype pkcs12 -destalias mykey -srcalias mykey