-
-
Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
| # input: fullchain.pem and privkey.pem as generated by the "letsencrypt-auto" script when run with | |
| # the "auth" aka "certonly" subcommand | |
| # convert certificate chain + private key to the PKCS#12 file format | |
| openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem | |
| # convert PKCS#12 file into Java keystore format | |
| keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks | |
| # don't need the PKCS#12 file anymore | |
| rm keystore.pkcs12 | |
| # Now use "keystore.jks" as keystore in jetty with the keystore password you specfied when you ran | |
| # the "keytool" command |
Thanks this has been extremely helpful!
Has anyone extended the script to auto update the private key for jetty when ever the letsencrypt certificate is updated?
Putting the file into a .jks file isn't necessary. You can load the PKCS #12 file directly:
sslContextFactory.setKeyStoreType("PKCS12");
sslContextFactory.setKeyStorePath("/path/to/pkcs/file.p12");
(The call to setKeyStoreType() is probably unneeded as well, unless you've changed the security policy setting keystore.type.compat which defaults to true)
Thank you for this. Lifesaver.
Putting the file into a
.jksfile isn't necessary. You can load the PKCS #12 file directly:
Indeed, this is a feature of modern JDKs; they have deprecated the proprietary JKS-format in favour of PKCS12, so you can use the PKCS12 output from the openssl-step directly.
You can recognise this from your Keytool output; Your Java can handle PKCS12 keystores if your keytool shows the warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
Omg thanks everybody for your nice comments, glad it was of help! :)
16 forks & 56 stars 😲
Thanks @juleskers — yeah things have definately improved a lot since the letsencrypt snowballing started :)
Thank you.. That's helped me to figure out how to have the key-certificate thing is done in jetty. It worked with me, though I kept the pkcs12 format and did not convert it to jks.
Actually, I tried first to convert it, but It a warning showed up and advised me to keep using pkcs12.
thank you sir!