Thanks Simone, I will give Keystore Explorer and try and report back. What I really want is quite simple: a series of commands that will take as input a private key, a new SSL certificate, and a series of intermediate/CA certificates and create a PKCS12 keystore that Jetty can use.
All permutations, combinations, and attempts thus far over several days results in a keystore that throws the UnrecoverableKeyException. Those attempts include: starting with a key that has/does not have a password, including/not including the key at the beginning of the file containing the SSL certificate and intermediate certificates, starting by creating a JKS keystore then converting it to PKCS12, starting by creating a PKCS12 keystore directly, adding/modifying a keystore password after creating the PKCS12 keystore, and probably several more I forgot. This morning's attempts involved cutting and pasting example commands directly from the Jetty documentation, then modifying the specifics. One would expect that even though I apparently got on a slow horse, I would eventually stumble into some combination that would work, but it seems quite elusive. David Fuhs Information Security Office California State University, Chico [email protected] 530-898-4852 ________________________________ From: [email protected] <[email protected]> on behalf of Simone Bordet <[email protected]> Sent: Tuesday, May 26, 2020 11:18 AM To: JETTY user mailing list <[email protected]> Subject: Re: [jetty-users] Keystore Problems Hi, On Tue, May 26, 2020 at 8:07 PM David C Fuhs <[email protected]> wrote: > > To generate the private key: > openssl genrsa 4096 > new_host.key > > To combine the SSL certificate plus CA certificates into one file: > cat ssl_cert interm_certs > combined_certs > Results in a file with the SSL certificate first, followed by the > intermediate certificates, with the root CA certificate last in the file. > > Stack traces follow, the first is using the JKS version of the keystore, the > second with the PKCS12 version of the keystore. Can you open the keyStores using: https://keystore-explorer.org/ If you cannot, then the keyStores are wrong. There is no need to use the JKS format anymore, keep the keyStores in PKCS12. Make sure that you are using a keyStore password only (not a keyManager password), unless you really want to. If you have a keyManager password, then you have to configure Jetty with it. -- Simone Bordet ---- http://cometd.org http://webtide.com Developer advice, training, services and support from the Jetty & CometD experts. _______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list [email protected] To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
