Documenting SSL/TLS certificate installation on go.genivi.org
The steps to copy the have been converted into a shell script which is also attached to this page
The rest of this page only documents the manual steps and more information.
First Nicholas Contino created the certificates with Letsencrypt, by closing down the go-server and starting a vanilla apache install, and then going through the standard Letsencrypt procedures to confirm ownership of the site, and all that stuff.
$ openssl rsa -des3 -in privkey.pem -out privkey.key.new
The PEM passphrase is requested, input serverKeystorepa55w0rdno longer requested since it is given on the command line.
Then to put the certificate into a Java compatible keystore it first needs to be converted to a PKCS12 format.
(From Go.CD documentation): openssl pkcs12 -inkey privkey.key.new -in <example.com.crt> -export -out cert1.crt.pkcs12
I failed at the first attempt I assumed example.crt meant our own cert file only. But this will make the Go server output the cert as self-signed as usual. It turns out that the fullchain file should be used, which includes both our cert, and the trust chain. Ref:  (ignore the first answer which is wrong, and see further down)
So we run:
$ openssl pkcs12 -inkey privkey.key.new -in fullchain.pem -export -out fullchain.pkcs12 -passin pass:serverKeystorepa55w0rd -passout pass:serverKeystorepa55w0rd
Againthe passwords are given on the command line.
In this step the new privkey we created of course needs be decrypted again. Input the previously used password to decrypt, then use the same again, for the output stage.