Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Keystore Problems
  • From: David C Fuhs <dfuhs@xxxxxxxxxxxx>
  • Date: Tue, 26 May 2020 20:34:30 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=f1ykwYV8oXUVWhAu9Q3QolZa8d2fP6Y/dwtM3lAXAvY=; b=FZvG/zYmlbkdnwpMkPX3lUAcsnCDtOPoMsMWbxaTf/doqy6wMymZHDiD1wvQgqtPUdvD8sOtL4Yhdckm+aaVp00+7WstYp6j1535JOBaEuk2LV62CbawC3pfyMwBsSJKnSLyzTI6F6gzPXiIHPtwiKeKmHF01MZGYWXQ/J4ShF+STZDjzmjTSEwCnTizdGTySRYUuqUXtcT7a4kBQoA5k37pqUKLnGVZP8F9QG3MSOqk3SwgR1jvBkRxQ28KEx1hCGsr8e8Yk/X//lkcJU78FJxsr5qQmW8EPsVAgGzs/AUizgUPi+7AWHjIYM8vaDUwMS6BmpGXQ8ubSLyuMd5z7g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=JTDW+OQvFxSqwyjgAqKfF4HS8ALeEoLbGPpsypVbmLyOCksO2HHltW0FkBWIBKnzQhhaNrCvpEMiMM1SVuirfSqelmakeS+wVXSSm+LPYjzCLWEmvhitJd2sFhjqP7Gbd7XmCs2mMsgATviB26RqQO47wSfqo0ED7vmlvcnrbrlLcZUNz+Nsw/VpCCJokyrbQHEvpmC3exmprenq+xI5FsjwnulnFSQQHfCQk8y/vg0Y+9ZWpTCUvRv2Tqo9wc357TKFV9jUyzIlyhI7hnSZDFtU+yl17eeMHoE8llNoYJar8741TC+8YkNEOdFGFYfKjpYqcD4EmYVTX7p2XBN2NQ==
  • Delivered-to: jetty-users@xxxxxxxxxxx
  • List-archive: <>
  • List-help: <>
  • List-subscribe: <>, <>
  • List-unsubscribe: <>, <>
  • Thread-index: AQHWM4HEdKGZuhwOFkGPJtv7A0Zclqi6pOwAgAACiBiAAAW3gIAAIhy3
  • Thread-topic: [jetty-users] Keystore Problems

Thanks Simone, I will give Keystore Explorer and try and report back.

What I really want is quite simple: a series of commands that will take as input a private key, a new SSL certificate, and a series of intermediate/CA certificates and create a PKCS12 keystore that Jetty can use.

All permutations, combinations, and attempts thus far over several days results in a keystore that throws the UnrecoverableKeyException.

Those attempts include: starting with a key that has/does not have a password, including/not including the key at the beginning of the file containing the SSL certificate and intermediate certificates, starting by creating a JKS keystore then converting it to PKCS12, starting by creating a PKCS12 keystore directly, adding/modifying a keystore password after creating the PKCS12 keystore, and probably several more I forgot.  This morning's attempts involved cutting and pasting example commands directly from the Jetty documentation, then modifying the specifics.

One would expect that even though I apparently got on a slow horse, I would eventually stumble into some combination that would work, but it seems quite elusive.

David Fuhs
Information Security Office
California State University, Chico

From: jetty-users-bounces@xxxxxxxxxxx <jetty-users-bounces@xxxxxxxxxxx> on behalf of Simone Bordet <sbordet@xxxxxxxxxxx>
Sent: Tuesday, May 26, 2020 11:18 AM
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] Keystore Problems

On Tue, May 26, 2020 at 8:07 PM David C Fuhs <dfuhs@xxxxxxxxxxxx> wrote:
> To generate the private key:
> openssl genrsa 4096 > new_host.key
> To combine the SSL certificate plus CA certificates into one file:
> cat ssl_cert interm_certs > combined_certs
> Results in a file with the SSL certificate first, followed by the intermediate certificates, with the root CA certificate last in the file.
> Stack traces follow, the first is using the JKS version of the keystore, the second with the PKCS12 version of the keystore.

Can you open the keyStores using:

If you cannot, then the keyStores are wrong.

There is no need to use the JKS format anymore, keep the keyStores in PKCS12.

Make sure that you are using a keyStore password only (not a
keyManager password), unless you really want to.
If you have a keyManager password, then you have to configure Jetty with it.

Simone Bordet
Developer advice, training, services and support
from the Jetty & CometD experts.
jetty-users mailing list
To unsubscribe from this list, visit

Back to the top