Over a million developers have joined DZone.

Installing Comodo PositiveSSL on Jetty

· DevOps Zone

The DevOps Zone is brought to you in partnership with Sonatype Nexus. The Nexus Suite helps scale your DevOps delivery with continuous component intelligence integrated into development tools, including Eclipse, IntelliJ, Jenkins, Bamboo, SonarQube and more. Schedule a demo today

I usually buy Comodo Certificates from PSW.net. It was always a pain to get it running because the information found on Comodos website are extremely outdated. So painful it is, their certificates are pretty cheap. That said this is probably the last time I’ll use them because it took me way too much time. If you are in pain too, here is some help.

First, if you are looking for UTNAddTrustServerCA.crt which is described here, I have some news for you. Almost hidden, I found the new necessary hierarchy. It shows clearly that this file is not longer necessary, even when stated on Comodos websites. Once you know that, everything is much more easier.

Let’s start. Create a new certification request (CSR).

openssl req -new -nodes -keyout jetty.key -out jetty.csr -newkey rsa:4096
openssl req -new -x509 -key jetty.key -out jetty.cr

Order a new certificate from PSW and wait until you receive it. You need to authenticate the first time.

Download AddTrustExternalRoot and PositiveSSL CA2 from Comodos website. From PSW you’ll get another Zip-File with your certificate. Put them all into one directory and create a cert chain.

cat www_yourdomain_de.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cert-chain.txt

For jetty and Java keystore you’ll need to create a pcks12 file. It’s done like that:

openssl pkcs12 -export -inkey jetty.key -in cert-chain.txt -out jetty.pkcs12

Upload this magic to your server (using SSH of course) and import it to your keystore.

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore mykeystore

Now that this is done, you just need to tell Jetty to use this keystore. I used this configuration in /etc/jetty.xml.

<Call name="addConnector">
   <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
      <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
         <Set name="keyStore">/path/to/mykeystore</Set>
         <Set name="keyStorePassword">OBF:encryptedpass</Set>
         <Set name="keyManagerPassword">OBF:encryptedpass</Set>
         <Set name="trustStorePassword">OBF:encryptedpass</Set>
   <Set name="port">8443</Set>
   <Set name="maxIdleTime">30000</Set>

On restart, your keystore should be used. Don’t forget to create Virtual Host names in your context.

That said, my pain with Comodo clearly has nothing to do with PSW.net. They are a reseller and so far I made great experiences with them. Check them out if you are in need of something SSL related. They work international to my knowledge.

Two more references: Jetty How-To SSL and Oracle Keytool.

The DevOps Zone is brought to you in partnership with Sonatype Nexus. Use the Nexus Suite to automate your software supply chain and ensure you're using the highest quality open source components at every step of the development lifecycle. Get Nexus today


Published at DZone with permission of Christian Grobmeier, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}