I'm trying to get a secure site running over SSL with Jetty. I've received 4 PEM files from a Certificate Authority:
But I can't get it working. Either the site rejects requests completely or it works but doesn't recognize the certificate and the browser gives a warning. I've tried the following:
keytool -keystore keystore.jks -import -alias server -file server.crt -trustcacerts
...but this results in requests to the site being rejected immediately with Chrome saying the webpage is unavailable - no errors on the server at all. I've also tried this:
openssl pkcs12 -export -out keystore.pkcs12 -in server.crt -inkey server-private-key.pem
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks
...and this results in the site responding to requests but still warning about the certificate not being trusted.
What do I need to do (if anything) with the root certificate and intermediate certificates. Are my attempts failing because I'm not using them? I can't find any information that pieces together what I'm missing.
Combine all the certificates together. Your server.crt will look like this
-----BEGIN CERTIFICATE-----
1 Certificate for my site
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
1st Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
2nd Intermediate Certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
1 Root Certificate
-----END CERTIFICATE-----
Use commands:
openssl pkcs12 -export -clcerts -in server.crt -inkey server-private-key.pem -out keystore.pkcs12
keytool -importkeystore -srckeystore keystore.pkcs12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype jks