# Security and authentication for Aerospike Connect for Elasticsearch

This page describes how to create a TLS Keystore for Aerospike Connect for Elasticsearch.

## Create a TLS Keystore

To use TLS, an Aerospike Connect for Elasticsearch connector requires a public/private key pair and corresponding certificate. These must be provided in a keystore file.

The connector supports the proprietary Java Keystore format (“JKS”) and the PKCS #12 format. JKS is the default for versions earlier than Java 9. PKCS #12 is the default for Java 9 and later.

For development and testing, you can generate a new key pair and certificate using the JDK’s `keytool` command line utility. The following command creates a new keystore file and key/cert pair:

Terminal window

```shell
keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA
```

The keytool will prompt for a new password for the keystore file as well as some additional information about the certificate.

```plaintext
keytool -keystore resources/keystore -alias connector -genkeypair -storetype PKCS12 -keyalg RSA

Enter keystore password:

Re-enter new password:

What is your first and last name?

    [Unknown]:

What is the name of your organizational unit?

    [Unknown]:

What is the name of your organization?

    [Unknown]:

What is the name of your City or Locality?

    [Unknown]:

What is the name of your State or Province?

    [Unknown]:

What is the two-letter country code for this unit?

    [Unknown]:

Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?

    [no]:  yes
```

If your existing private key and certificate (chain) are separate PEM files, you can use [OpenSSL](https://www.openssl.org/) to combine them into a PKCS #12 keystore:

Terminal window

```shell
openssl pkcs12 -inkey ./key.pem -in ./cert.pem --export -out resources/keystore
```

If you have a chain of certificates because your CA is an intermediary, build the PKCS #12 file as follows:

Terminal window

```shell
cat ./cert.pem intermediate.pem rootCA.pem > cert-chain.pem

openssl pkcs12 -inkey ./key.pem -in ./cert-chain.pem -export -out resources/keystore
```

This command prompts you for an export password. It will set this as the keystore password of the newly-created keystore file. Update the `tls` configuration section as per above to use the test keystore.