Skip to content

Instantly share code, notes, and snippets.

Last active August 29, 2023 07:22
  • Star 58 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
How to use Letsencrypt certificate & private key with Jetty
# input: fullchain.pem and privkey.pem as generated by the "letsencrypt-auto" script when run with
# the "auth" aka "certonly" subcommand
# convert certificate chain + private key to the PKCS#12 file format
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
# convert PKCS#12 file into Java keystore format
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
# don't need the PKCS#12 file anymore
rm keystore.pkcs12
# Now use "keystore.jks" as keystore in jetty with the keystore password you specfied when you ran
# the "keytool" command
Copy link

ghost commented Jan 22, 2016

Thank you. This is typically the kind of information that should be mentioned in the documentation of Jetty.

Copy link

bdunn44 commented Jun 6, 2016

This is in Jetty's documentation. You'll find it here: Thanks for posting a succinct example here, though!

Copy link

ghost commented Apr 9, 2017

This gist saves life . Thank you .

Copy link

Thank you so much. You've just saved my app ;D

Copy link

I had to rename the file from keystore.jks to simply keystore for jetty defaults. These 2 commands were very useful. Thank you.

Copy link

it helps a lot!

Copy link

mussaGG commented Jul 2, 2018

Dude, if I could, I would kiss you. You have no idea what an impact your simple solution has had, we were tearing our hair out trying to get things to work for our app. Thank you!!!

Copy link

Sir, many thanks for this life-saving gist !
someone should write a tutorial for this

  • ( I should write a tutorial for this :D )

Copy link

thank you sir!

Copy link

Thanks this has been extremely helpful!
Has anyone extended the script to auto update the private key for jetty when ever the letsencrypt certificate is updated?

Copy link

Putting the file into a .jks file isn't necessary. You can load the PKCS #12 file directly:


(The call to setKeyStoreType() is probably unneeded as well, unless you've changed the security policy setting keystore.type.compat which defaults to true)

Copy link

Thank you for this. Lifesaver.

Copy link

Putting the file into a .jks file isn't necessary. You can load the PKCS #12 file directly:

Indeed, this is a feature of modern JDKs; they have deprecated the proprietary JKS-format in favour of PKCS12, so you can use the PKCS12 output from the openssl-step directly.

You can recognise this from your Keytool output; Your Java can handle PKCS12 keystores if your keytool shows the warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

Copy link

xkr47 commented Jul 26, 2021

Omg thanks everybody for your nice comments, glad it was of help! :)

16 forks & 56 stars 😲

Thanks @juleskers — yeah things have definately improved a lot since the letsencrypt snowballing started :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment