Skip to content

Instantly share code, notes, and snippets.

@xkr47
Last active June 26, 2024 09:03
Show Gist options
  • Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
How to use Letsencrypt certificate & private key with Jetty
# input: fullchain.pem and privkey.pem as generated by the "letsencrypt-auto" script when run with
# the "auth" aka "certonly" subcommand
# convert certificate chain + private key to the PKCS#12 file format
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem
# convert PKCS#12 file into Java keystore format
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks
# don't need the PKCS#12 file anymore
rm keystore.pkcs12
# Now use "keystore.jks" as keystore in jetty with the keystore password you specfied when you ran
# the "keytool" command
@pointbazaar
Copy link

thank you sir!

@luckydem
Copy link

Thanks this has been extremely helpful!
Has anyone extended the script to auto update the private key for jetty when ever the letsencrypt certificate is updated?

@seanbright
Copy link

Putting the file into a .jks file isn't necessary. You can load the PKCS #12 file directly:

sslContextFactory.setKeyStoreType("PKCS12");
sslContextFactory.setKeyStorePath("/path/to/pkcs/file.p12");

(The call to setKeyStoreType() is probably unneeded as well, unless you've changed the security policy setting keystore.type.compat which defaults to true)

@kernelfreak
Copy link

Thank you for this. Lifesaver.

@juleskers
Copy link

Putting the file into a .jks file isn't necessary. You can load the PKCS #12 file directly:

Indeed, this is a feature of modern JDKs; they have deprecated the proprietary JKS-format in favour of PKCS12, so you can use the PKCS12 output from the openssl-step directly.

You can recognise this from your Keytool output; Your Java can handle PKCS12 keystores if your keytool shows the warning:

The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

@xkr47
Copy link
Author

xkr47 commented Jul 26, 2021

Omg thanks everybody for your nice comments, glad it was of help! :)

16 forks & 56 stars 😲

Thanks @juleskers — yeah things have definately improved a lot since the letsencrypt snowballing started :)

@bakursait2
Copy link

Thank you.. That's helped me to figure out how to have the key-certificate thing is done in jetty. It worked with me, though I kept the pkcs12 format and did not convert it to jks.
Actually, I tried first to convert it, but It a warning showed up and advised me to keep using pkcs12.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment