How were new_host.key and combined_certs created? Also, can you provide the complete stacktraces?
Joakim Erdfelt / [email protected] On Tue, May 26, 2020 at 12:44 PM David C Fuhs <[email protected]> wrote: > Good morning all: > > Red Hat Enterprise Linux Server release 7.8 (Maipo) > jetty-distribution-9.4.28.v20200408 > java-11-openjdk-11.0.7.10-4.el7_8.x86_64 > jetty.ssl.port=8443 > > Generated a new private key (without a password) using openssl. > Generated a certificate request. > Received new SSL certificate, plus intermediate and CA certificates. > > The goal: create a new keystore (preferably PKCS12) that works with Jetty. > > Following instructions at: > https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html > > Combined the new SSL certificate + intermediate certificates + root > certificate in one file in that order (combined_certs). > > openssl pkcs12 -export -inkey new_host.key -in combined_certs -out > abc.pkcs12 > > Import into keystore: > > keytool -importkeystore -srckeystore abc.pkcs12 -srckeystore PKCS12 > -destkeystore abc.jks > > Followed recommendation to convert JKS to PKCS12: > > keytool -importkeystore -srckeystore abc.jks -destkeystore abc.p12 > -deststoretype pkcs12 > > The commands above all complete successfully (prompts for passphrases and > passphrase itself omitted). > > At this point, we have two keystores, one JKS and one PCKS12: > > However, Jetty fails to start correctly with either. > > Startup error when using the JKS keystore: > PrivilegedActionException: null > Caused by: java.security.UnrecoverableKeyException: Cannot recover key > > Startup error when using the PKCS12 keystore: > PrivilegedActionException: null > Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given > final block not properly padded. Such issues arise if a bad key is used > during decryption. > > Also ran the same processes as above, but with the private key added first > to the file containing the certificates, but with similar Jetty failures on > startup. > > What am I missing? > > Exactly what steps are required to get from a valid RSA private key + SSL > certificate + intermediate and CA certificates (generated by openssl) to a > working PKCS12 keystore? > > Thanks in advance. > > David Fuhs > Information Security Office > California State University, Chico > [email protected] > 530-898-4852 > > _______________________________________________ > jetty-users mailing list > [email protected] > To unsubscribe from this list, visit > https://www.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
