Thanks, Scott. Using Scott's example command, but modified with our specifics, generates the PKCS12 keystore, but Jetty throws the same exception on startup:
2020-05-26 13:56:29,793 - INFO [org.eclipse.jetty.server.AbstractConnector:331] - Started ServerConnector@1fdf8aa4{HTTP/1.1, (http/1.1)}{127.0.0.1:8080} 2020-05-26 13:56:29,794 - WARN [org.eclipse.jetty.xml.XmlConfiguration:1938] - java.security.PrivilegedActionException: null at java.base/java.security.AccessController.doPrivileged(Native Method) at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878) Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption. at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:462) keytool seems okay with the keystore. Omitting all the details, but it shows the new SSL certificate, followed by the intermediate/CA certificates in the correct order: /tmp:> keytool -list -keystore xyz.p12 -v Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry Alias name: 1 Creation date: May 26, 2020 Entry type: PrivateKeyEntry Certificate chain length: 4 Certificate[1]: David Fuhs Information Security Office California State University, Chico df...@csuchico.edu 530-898-4852 ________________________________ From: jetty-users-boun...@eclipse.org <jetty-users-boun...@eclipse.org> on behalf of Cantor, Scott <canto...@osu.edu> Sent: Tuesday, May 26, 2020 1:40 PM To: JETTY user mailing list <jetty-users@eclipse.org> Subject: Re: [jetty-users] Keystore Problems On 5/26/20, 4:34 PM, "jetty-users-boun...@eclipse.org on behalf of David C Fuhs" <jetty-users-boun...@eclipse.org on behalf of df...@csuchico.edu> wrote: > What I really want is quite simple: a series of commands that will take as > input a private key, a new SSL certificate, and a > series of intermediate/CA certificates and create a PKCS12 keystore that > Jetty can use. openssl pkcs12 -export -out file.p12 -inkey private.key -in public.crt -certfile chain.crt There are lot of varied ways to feed the certs in, but I've used a model where -in is just the EE cert and -certfile has the concat'd chain of the rest. -- Scott _______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users
_______________________________________________ jetty-users mailing list jetty-users@eclipse.org To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users