-
-
Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
# input: fullchain.pem and privkey.pem as generated by the "letsencrypt-auto" script when run with | |
# the "auth" aka "certonly" subcommand | |
# convert certificate chain + private key to the PKCS#12 file format | |
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem | |
# convert PKCS#12 file into Java keystore format | |
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks | |
# don't need the PKCS#12 file anymore | |
rm keystore.pkcs12 | |
# Now use "keystore.jks" as keystore in jetty with the keystore password you specfied when you ran | |
# the "keytool" command |
thank you sir!
Thanks this has been extremely helpful!
Has anyone extended the script to auto update the private key for jetty when ever the letsencrypt certificate is updated?
Putting the file into a .jks
file isn't necessary. You can load the PKCS #12 file directly:
sslContextFactory.setKeyStoreType("PKCS12");
sslContextFactory.setKeyStorePath("/path/to/pkcs/file.p12");
(The call to setKeyStoreType()
is probably unneeded as well, unless you've changed the security policy setting keystore.type.compat
which defaults to true
)
Thank you for this. Lifesaver.
Putting the file into a
.jks
file isn't necessary. You can load the PKCS #12 file directly:
Indeed, this is a feature of modern JDKs; they have deprecated the proprietary JKS-format in favour of PKCS12, so you can use the PKCS12 output from the openssl-step directly.
You can recognise this from your Keytool output; Your Java can handle PKCS12 keystores if your keytool shows the warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
Omg thanks everybody for your nice comments, glad it was of help! :)
16 forks & 56 stars 😲
Thanks @juleskers — yeah things have definately improved a lot since the letsencrypt snowballing started :)
Thank you.. That's helped me to figure out how to have the key-certificate thing is done in jetty. It worked with me, though I kept the pkcs12 format and did not convert it to jks.
Actually, I tried first to convert it, but It a warning showed up and advised me to keep using pkcs12.
Sir, many thanks for this life-saving gist !
someone should write a tutorial for this