Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Keystore Problems
  • From: David C Fuhs <dfuhs@xxxxxxxxxxxx>
  • Date: Tue, 26 May 2020 21:26:40 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7pRuaY8j13XSik/wxiFJ109uVEXpnoSXBuF7UXGYtVg=; b=GJoBe29dORj7a3PNCgFe5iGWiTq9D1R2CL0pATx74EOn99mVuq3D3nmcnWbD9PETjLejvmWPFA0LG5hJv/IvWtUoUrBolyce3tCRmwqavFtIHo6a9FF51Rbr49iKcZLWqwHcaWuGduO1At5Jq+Z+EFqLFQgrbz+tZBtC8EGGCqb+HebMzfHI2M9++7hfPHtkzmvBQXLpG6ni2FoE9gSgomaAZZf+gejs+wSnPijJl8teDRvnQfyWlNLNS3t66dbQMmE8JOw912ZPEJNUYAjYOuEXFprynr57319hvnmBip9GOJPZvDvSJb2kGzIk7y6yDAQEkEEyNg4lw8Zd3sdEdA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=G8C4T64P5LcVUdCYbDG3Ge4AvXIsS/YgGh/x7j8wjKM1bQ8ohvz600X3yEpcV18sgpidrj4OjUQBrgRqInedaMDU9KTddu0cwC8wdqLWX2hMP22eqecUaC4DaDgQTajVDnJWIipUBxjJOLhzKRE7QDAkff0VH9teB70+aBFWZ5MceC148UxCk4M65wQwgTuH7INAKIxWm6dJVtdwEhkzEW8dNoLCNZiqMC1BwdYAjwarxA+jP1AdW93z/SyVjN1gzDXbXrPRlGm4s34aZUCGM/COTieX7AdrZmiOXHlQRwta2PED/NvmCqqIs+PW/kUSVKsplizXIp0sFhz6eOfTXA==
  • Delivered-to: jetty-users@xxxxxxxxxxx
  • List-archive: <>
  • List-help: <>
  • List-subscribe: <>, <>
  • List-unsubscribe: <>, <>
  • Thread-index: AQHWM4HEdKGZuhwOFkGPJtv7A0Zclqi6pOwAgAACiBiAAAW3gIAAIhy3///CZoCAAE3wkA==
  • Thread-topic: [jetty-users] Keystore Problems

Thanks, Scott.

Using Scott's example command, but modified with our specifics, generates the PKCS12 keystore, but Jetty throws the same exception on startup:

2020-05-26 13:56:29,793 - INFO [org.eclipse.jetty.server.AbstractConnector:331] - Started ServerConnector@1fdf8aa4{HTTP/1.1, (http/1.1)}{}
2020-05-26 13:56:29,794 - WARN [org.eclipse.jetty.xml.XmlConfiguration:1938] - null
        at java.base/ Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(
Caused by: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at java.base/

keytool seems okay with the keystore.  Omitting all the details, but it shows the new SSL certificate, followed by the intermediate/CA certificates in the correct order:

/tmp:> keytool -list -keystore xyz.p12 -v
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: May 26, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 4

David Fuhs
Information Security Office
California State University, Chico

From: jetty-users-bounces@xxxxxxxxxxx <jetty-users-bounces@xxxxxxxxxxx> on behalf of Cantor, Scott <cantor.2@xxxxxxx>
Sent: Tuesday, May 26, 2020 1:40 PM
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] Keystore Problems
On 5/26/20, 4:34 PM, "jetty-users-bounces@xxxxxxxxxxx on behalf of David C Fuhs" <jetty-users-bounces@xxxxxxxxxxx on behalf of dfuhs@xxxxxxxxxxxx> wrote:

> What I really want is quite simple: a series of commands that will take as input a private key, a new SSL certificate, and a
> series of intermediate/CA certificates and create a PKCS12 keystore that Jetty can use.

openssl pkcs12 -export -out file.p12 -inkey private.key -in public.crt -certfile chain.crt

There are lot of varied ways to feed the certs in, but I've used a model where -in is just the EE cert and -certfile has the concat'd chain of the rest.

-- Scott

jetty-users mailing list
To unsubscribe from this list, visit

Back to the top