If you are not sure whether your PKCS#12 file is signed by a root CA or intermediate CA, you can determine the signature type by using the certutil utility.


Navigate to the directory that contains the PKCS#12 keystore file.

For example: abc.p12


Run the certutil command.

For example: certutil abc.p12


At the Windows prompt, type your PFX password.

The utility displays information about the PKCS#12 keystore file, including summaries of all certificates in the trust chain.


Look for the lines describing the Signature, Root Certificate, and Intermediate Certificate.

For example, a self-signed certificate might display the following lines:

Signature matches Public Key
Root Certificate: Subject matches Issuer

If your PKCS#12 file contains a server certificate that is signed by a root CA and not an intermediate CA, you can use your existing PKCS#12 file when you configure your View Connection Server instance or security server to use the certificate. See Configure a View Connection Server Instance or Security Server to Use a New Certificate.

If a PKCS#12 file contains a server certificate that is signed by an intermediate CA rather than by a root CA, you must import the PKCS#12 keystore into a JKS keystore. See Convert a PKCS#12 File to JKS Format.