Knowledge Center

Knowledge Center > Billing and Payments > Payment Gateways > Supported Payment Gateways > IBM Payment Systems Gateway > Generate a Keystore File for IBM Payment Systems Gateway

Generate a Keystore File for IBM Payment Systems Gateway

You need to generate a keystore file to set up the IBM Payment Systems gateway. This article provides instructions for generating a keystore file.

This feature is in Limited Availability. If you wish to have access to the feature, submit a request at Zuora Global Support


The following tools are required to generate a keystore file.

Toolkt/Utility Description


A cryptography toolkit for SSL/TLS. You can find it at


​A key and certificate management utility. It comes with the Java Runtime Environment (JRE)  which you can download from And it’s in the bin subdirectory of your java installation.

Generating a Private Key

Perform the following steps to generate the keystore file needed to set up the IBM gateway instance. 

  1. Enter the following:

keytool -genkey -alias <keyalias> -keyalg RSA -sigalg SHA1withRSA -DNAME "C=UK,O=IBM,CN=<Short company name>" -keystore key.p12 -storetype pkcs12 -keysize 2048

  1. Replace <Short company name> with your company’s name. This prompts the keystore password
  2. Generate the certificate request file:

keytool -certreq -alias <your_cert_alias> -keystore key.p12 -file <your_company_name>.csr -sigalg SHA1withRSA -storetype pkcs12

  1. Replace <your_cert_alias> and <your_company_name>.
  2. Send the certificate request to IBM Payment Systems mailbox ( This might take 2-3 working days to receive the server certificates (GeoTrustInterM.cer GeoTrustRoot.cer, and IBMCATest.cer)  and the client certificate file <client_cert_name>.cer. For example, CompanyA-V1.cer.
  3. Export the private key:

openssl pkcs12 -in key.p12 -out key.pem -nodes

  1. Enter the import password (the password to the keystore key.p12).
  2. Import the key with the client certificate from IBM into a new keystore file:

openssl pkcs12 -export -in <client_cert_name>.cer -inkey key.pem -out client_cert.p12

  1. Enter the export password (a new password to protect the new keystore file). This password is used on the New Gateway page.
  2. Convert the keystore to JKS format:

keytool -importkeystore -srckeystore client_cert.p12 -destkeystore keystore.jks -srcstoretype pkcs12 -deststoretype JKS -storepass <password>

  1. Enter the destination keystore password (the new password for the new JKS keystore file).
  2. Enter the source keystore password.
  3. Import theIBM server certificates into the keystore:

keytool -import -alias geotrustroot -file GeoTrustInterM.cer -keystore keystore.jks 

keytool -import -alias geotrustinterm -file GeoTrustRoot.cer -keystore keystore.jks 

keytool -import -alias ibmserver -file IBMCATest.cer -keystore keystore.jks 

  1. Enter the keystore password to the JKS keystore file and ask for confirmation on adding the certificate to the keystore.
  2. This keystore.jks file is the final file to use in the New Gateway page.
Last modified
10:27, 26 Feb 2015



(not set)