Re: [jetty-users] Keystore Problems

Tue, 26 May 2020 14:27:10 -0700 

Thanks, Scott.

Using Scott's example command, but modified with our specifics, generates the 
PKCS12 keystore, but Jetty throws the same exception on startup:

2020-05-26 13:56:29,793 - INFO [org.eclipse.jetty.server.AbstractConnector:331] 
- Started ServerConnector@1fdf8aa4{HTTP/1.1, (http/1.1)}{127.0.0.1:8080}
2020-05-26 13:56:29,794 - WARN [org.eclipse.jetty.xml.XmlConfiguration:1938] -
java.security.PrivilegedActionException: null
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at 
org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final 
block not properly padded. Such issues can arise if a bad key is used during 
decryption.
        at 
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:462)

keytool seems okay with the keystore.  Omitting all the details, but it shows 
the new SSL certificate, followed by the intermediate/CA certificates in the 
correct order:

/tmp:> keytool -list -keystore xyz.p12 -v
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: May 26, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 4
Certificate[1]:

David Fuhs
Information Security Office
California State University, Chico
df...@csuchico.edu
530-898-4852


________________________________
From: jetty-users-boun...@eclipse.org <jetty-users-boun...@eclipse.org> on 
behalf of Cantor, Scott <canto...@osu.edu>
Sent: Tuesday, May 26, 2020 1:40 PM
To: JETTY user mailing list <jetty-users@eclipse.org>
Subject: Re: [jetty-users] Keystore Problems

On 5/26/20, 4:34 PM, "jetty-users-boun...@eclipse.org on behalf of David C 
Fuhs" <jetty-users-boun...@eclipse.org on behalf of df...@csuchico.edu> wrote:

> What I really want is quite simple: a series of commands that will take as 
> input a private key, a new SSL certificate, and a
> series of intermediate/CA certificates and create a PKCS12 keystore that 
> Jetty can use.

openssl pkcs12 -export -out file.p12 -inkey private.key -in public.crt 
-certfile chain.crt

There are lot of varied ways to feed the certs in, but I've used a model where 
-in is just the EE cert and -certfile has the concat'd chain of the rest.

-- Scott


_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

_______________________________________________
jetty-users mailing list
jetty-users@eclipse.org
To unsubscribe from this list, visit 
https://www.eclipse.org/mailman/listinfo/jetty-users

Reply via email to