Posted by: Brian de Alwis | December 13, 2010

Configuring Jetty for SSL

Having finally achieved victory in setting up SSL for a Jetty instance, I thought I’d share one gotcha that I saw go undocumented: if your certificate requires an intermediate certificate, then you need to add your certificates to your keystore as a chain — you can’t just import the certificates in your chain one at a time.

I’m using an SSL certificate from StartSSL. I have a Class 2 certificate, which is signed through an intermediate certificate for their Class 2 Server CA. I need to add both my signed certificate as well as a certificate for the Class 2 Server CA.

After lots of futzing about adding the certificates individually (and wondering if I’d unknowingly missed a certificate), I finally realized that the answer was under my nose, described in Jetty’s Step 3b in How to configure SSL:

$ cat my-signed-ssl-certificate.pem startcom-sub.class2.server.ca.pem startcom-ca.pem > cert-chain.txt
$ openssl pkcs12 -export -inkey my-ssl-key.pem -in cert-chain.txt -out keystore.pkcs12
Enter pass phrase for my-ssl-key.pem:
Enter Export Password:
Verifying - Enter Export Password:
$ keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Note that the certificates and key were combined into a single entry. I previously had 3 entries.

If the openssl pkcs12 complains that No certificate matches private key then ensure the cert-chain.txt has each

-----BEGIN XXX-----

and

-----END XXX-----

on separate lines.

And even on Java 6 I found I had to ensure the keystore password was the same as the key password.

SSLPoke is a useful Java tool for discovering SSL issues.

Advertisements

Responses

  1. Thank you!!!

    After following loads of walk throughs all of them failed to mention that you need to combine the certs manually into a chain! I was has having major issues with a godaddy wildcard cert and this was the correct solution, thanks much.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories