A keystore contains a private key, a corresponding subject certificate and optionally one or more issuer (CA) certificates. Nexus Timestamp Server accepts two different keystore formats, PKCS#12 and JKS (Java KeyStore), as well as PKCS#11 libraries for HSM support.
JKS keystores Manage JKS keystores with keytool which is a tool included in the Java JRE/JDK as <javadir>/bin/keytool.
PKCS#11 keystores Manage PKCS#11 keystores with the bundled tool hwsetup, see Initialize Hardware Security Module in Timestamp Server, or tools from the HSM vendor. See documentation and explanations from the vendor for a complete reference.
Keys to use in a PKCS#11 keystore MUST have a mapped certificate with the same CKA_LABEL and CKA_PRIVATE set to false.