Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] Keystore Problems
  • From: David C Fuhs <dfuhs@xxxxxxxxxxxx>
  • Date: Tue, 26 May 2020 21:26:40 +0000
  • Accept-language: en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=csuchico.edu; dmarc=pass action=none header.from=csuchico.edu; dkim=pass header.d=csuchico.edu; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7pRuaY8j13XSik/wxiFJ109uVEXpnoSXBuF7UXGYtVg=; b=GJoBe29dORj7a3PNCgFe5iGWiTq9D1R2CL0pATx74EOn99mVuq3D3nmcnWbD9PETjLejvmWPFA0LG5hJv/IvWtUoUrBolyce3tCRmwqavFtIHo6a9FF51Rbr49iKcZLWqwHcaWuGduO1At5Jq+Z+EFqLFQgrbz+tZBtC8EGGCqb+HebMzfHI2M9++7hfPHtkzmvBQXLpG6ni2FoE9gSgomaAZZf+gejs+wSnPijJl8teDRvnQfyWlNLNS3t66dbQMmE8JOw912ZPEJNUYAjYOuEXFprynr57319hvnmBip9GOJPZvDvSJb2kGzIk7y6yDAQEkEEyNg4lw8Zd3sdEdA==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G8C4T64P5LcVUdCYbDG3Ge4AvXIsS/YgGh/x7j8wjKM1bQ8ohvz600X3yEpcV18sgpidrj4OjUQBrgRqInedaMDU9KTddu0cwC8wdqLWX2hMP22eqecUaC4DaDgQTajVDnJWIipUBxjJOLhzKRE7QDAkff0VH9teB70+aBFWZ5MceC148UxCk4M65wQwgTuH7INAKIxWm6dJVtdwEhkzEW8dNoLCNZiqMC1BwdYAjwarxA+jP1AdW93z/SyVjN1gzDXbXrPRlGm4s34aZUCGM/COTieX7AdrZmiOXHlQRwta2PED/NvmCqqIs+PW/kUSVKsplizXIp0sFhz6eOfTXA==
  • Delivered-to: jetty-users@xxxxxxxxxxx
  • List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
  • List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
  • List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
  • List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>
  • Thread-index: AQHWM4HEdKGZuhwOFkGPJtv7A0Zclqi6pOwAgAACiBiAAAW3gIAAIhy3///CZoCAAE3wkA==
  • Thread-topic: [jetty-users] Keystore Problems

Thanks, Scott.

Using Scott's example command, but modified with our specifics, generates the PKCS12 keystore, but Jetty throws the same exception on startup:

2020-05-26 13:56:29,793 - INFO [org.eclipse.jetty.server.AbstractConnector:331] - Started ServerConnector@1fdf8aa4{HTTP/1.1, (http/1.1)}{127.0.0.1:8080}
2020-05-26 13:56:29,794 - WARN [org.eclipse.jetty.xml.XmlConfiguration:1938] -
java.security.PrivilegedActionException: null
        at java.base/java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1878)
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:462)

keytool seems okay with the keystore.  Omitting all the details, but it shows the new SSL certificate, followed by the intermediate/CA certificates in the correct order:

/tmp:> keytool -list -keystore xyz.p12 -v
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: May 26, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 4
Certificate[1]:

David Fuhs
Information Security Office
California State University, Chico
dfuhs@xxxxxxxxxxxx
530-898-4852


From: jetty-users-bounces@xxxxxxxxxxx <jetty-users-bounces@xxxxxxxxxxx> on behalf of Cantor, Scott <cantor.2@xxxxxxx>
Sent: Tuesday, May 26, 2020 1:40 PM
To: JETTY user mailing list <jetty-users@xxxxxxxxxxx>
Subject: Re: [jetty-users] Keystore Problems
 
On 5/26/20, 4:34 PM, "jetty-users-bounces@xxxxxxxxxxx on behalf of David C Fuhs" <jetty-users-bounces@xxxxxxxxxxx on behalf of dfuhs@xxxxxxxxxxxx> wrote:

> What I really want is quite simple: a series of commands that will take as input a private key, a new SSL certificate, and a
> series of intermediate/CA certificates and create a PKCS12 keystore that Jetty can use.

openssl pkcs12 -export -out file.p12 -inkey private.key -in public.crt -certfile chain.crt

There are lot of varied ways to feed the certs in, but I've used a model where -in is just the EE cert and -certfile has the concat'd chain of the rest.

-- Scott


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/jetty-users

Back to the top