Good morning all: Red Hat Enterprise Linux Server release 7.8 (Maipo) jetty-distribution-9.4.28.v20200408 java-11-openjdk-11.0.7.10-4.el7_8.x86_64 jetty.ssl.port=8443
Generated a new private key (without a password) using openssl. Generated a certificate request. Received new SSL certificate, plus intermediate and CA certificates. The goal: create a new keystore (preferably PKCS12) that works with Jetty. Following instructions at: https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html Combined the new SSL certificate + intermediate certificates + root certificate in one file in that order (combined_certs). openssl pkcs12 -export -inkey new_host.key -in combined_certs -out abc.pkcs12 Import into keystore: keytool -importkeystore -srckeystore abc.pkcs12 -srckeystore PKCS12 -destkeystore abc.jks Followed recommendation to convert JKS to PKCS12: keytool -importkeystore -srckeystore abc.jks -destkeystore abc.p12 -deststoretype pkcs12 The commands above all complete successfully (prompts for passphrases and passphrase itself omitted). At this point, we have two keystores, one JKS and one PCKS12: However, Jetty fails to start correctly with either. Startup error when using the JKS keystore: PrivilegedActionException: null Caused by: java.security.UnrecoverableKeyException: Cannot recover key Startup error when using the PKCS12 keystore: PrivilegedActionException: null Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues arise if a bad key is used during decryption. Also ran the same processes as above, but with the private key added first to the file containing the certificates, but with similar Jetty failures on startup. What am I missing? Exactly what steps are required to get from a valid RSA private key + SSL certificate + intermediate and CA certificates (generated by openssl) to a working PKCS12 keystore? Thanks in advance. David Fuhs Information Security Office California State University, Chico [email protected] 530-898-4852
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
