Having finally achieved victory in setting up SSL for a Jetty instance, I thought I’d share one gotcha that I saw go undocumented: if your certificate requires an intermediate certificate, then you need to add your certificates to your keystore as a chain — you can’t just import the certificates in your chain one at a time.
I’m using an SSL certificate from StartSSL. I have a Class 2 certificate, which is signed through an intermediate certificate for their Class 2 Server CA. I need to add both my signed certificate as well as a certificate for the Class 2 Server CA.
After lots of futzing about adding the certificates individually (and wondering if I’d unknowingly missed a certificate), I finally realized that the answer was under my nose, described in Jetty’s Step 3b in How to configure SSL:
$ cat my-signed-ssl-certificate.pem startcom-sub.class2.server.ca.pem startcom-ca.pem > cert-chain.txt $ openssl pkcs12 -export -inkey my-ssl-key.pem -in cert-chain.txt -out keystore.pkcs12 Enter pass phrase for my-ssl-key.pem: Enter Export Password: Verifying - Enter Export Password: $ keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore Enter destination keystore password: Re-enter new password: Enter source keystore password: Entry for alias 1 successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
Note that the certificates and key were combined into a single entry. I previously had 3 entries.
If the openssl pkcs12 complains that No certificate matches private key then ensure the cert-chain.txt has each
on separate lines.
And even on Java 6 I found I had to ensure the keystore password was the same as the key password.
SSLPoke is a useful Java tool for discovering SSL issues.