-
-
Save xkr47/920ffe94f6a4c171ee59 to your computer and use it in GitHub Desktop.
# input: fullchain.pem and privkey.pem as generated by the "letsencrypt-auto" script when run with | |
# the "auth" aka "certonly" subcommand | |
# convert certificate chain + private key to the PKCS#12 file format | |
openssl pkcs12 -export -out keystore.pkcs12 -in fullchain.pem -inkey privkey.pem | |
# convert PKCS#12 file into Java keystore format | |
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype PKCS12 -destkeystore keystore.jks | |
# don't need the PKCS#12 file anymore | |
rm keystore.pkcs12 | |
# Now use "keystore.jks" as keystore in jetty with the keystore password you specfied when you ran | |
# the "keytool" command |
Putting the file into a
.jks
file isn't necessary. You can load the PKCS #12 file directly:
Indeed, this is a feature of modern JDKs; they have deprecated the proprietary JKS-format in favour of PKCS12, so you can use the PKCS12 output from the openssl-step directly.
You can recognise this from your Keytool output; Your Java can handle PKCS12 keystores if your keytool shows the warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
Omg thanks everybody for your nice comments, glad it was of help! :)
16 forks & 56 stars 😲
Thanks @juleskers — yeah things have definately improved a lot since the letsencrypt snowballing started :)
Thank you.. That's helped me to figure out how to have the key-certificate thing is done in jetty. It worked with me, though I kept the pkcs12 format and did not convert it to jks.
Actually, I tried first to convert it, but It a warning showed up and advised me to keep using pkcs12.
Thank you for this. Lifesaver.