Skip to content

Instantly share code, notes, and snippets.

@xkr47

xkr47/letsencrypt-jetty.sh

Last active August 29, 2023 07:22
Show Gist options
  • Star 58 You must be signed in to star a gist
  • Fork 15 You must be signed in to fork a gist
  • Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
Download ZIP
How to use Letsencrypt certificate & private key with Jetty
Raw
letsencrypt-jetty.sh
# input: fullchain.pem and privkey.pem as generated by the "letsencrypt-auto" script when run with
# the "auth" aka "certonly" subcommand
# convert certificate chain + private key to the PKCS#12 file format
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
# convert PKCS#12 file into Java keystore format
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
# don't need the PKCS#12 file anymore
rm keystore.pkcs12
# Now use "keystore.jks" as keystore in jetty with the keystore password you specfied when you ran
# the "keytool" command
@Plasmoxy
Copy link

Sir, many thanks for this life-saving gist !
someone should write a tutorial for this

  • ( I should write a tutorial for this :D )

@pointbazaar
Copy link

thank you sir!

@luckydem
Copy link

Thanks this has been extremely helpful!
Has anyone extended the script to auto update the private key for jetty when ever the letsencrypt certificate is updated?

@seanbright
Copy link

Putting the file into a .jks file isn't necessary. You can load the PKCS #12 file directly:

sslContextFactory.setKeyStoreType("PKCS12");
sslContextFactory.setKeyStorePath("/path/to/pkcs/file.p12");

(The call to setKeyStoreType() is probably unneeded as well, unless you've changed the security policy setting keystore.type.compat which defaults to true)

@kernelfreak
Copy link

Thank you for this. Lifesaver.

@juleskers
Copy link

Putting the file into a .jks file isn't necessary. You can load the PKCS #12 file directly:

Indeed, this is a feature of modern JDKs; they have deprecated the proprietary JKS-format in favour of PKCS12, so you can use the PKCS12 output from the openssl-step directly.

You can recognise this from your Keytool output; Your Java can handle PKCS12 keystores if your keytool shows the warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

@xkr47
Copy link
Author

xkr47 commented Jul 26, 2021

Omg thanks everybody for your nice comments, glad it was of help! :)

16 forks & 56 stars 😲

Thanks @juleskers — yeah things have definately improved a lot since the letsencrypt snowballing started :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment