Trying to setup SSL on jetty 7.2.2 using these instructions: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL
stuck on 3b:
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore $JETTY_HOME/etc/keystore
jetty ships with default keystore at $JETTY_HOME/etc/keystore开发者_StackOverflow
. I'm asked for password when running that command. I don't know default keystore password.
If I try to replace that keystore with newly created one - I'm getting IOException on jetty startup - keystore is tampered with or password incorrect.
What I'm doing wrong? Or what's default keystore jetty password?
The default password for the keystore that is shipped with jetty is storepwd
. But I would highly recommend you follow the steps listed in the How to configure SSL and create your own keystore.
I think you just want to overwrite the keystore in etc/keystore with your new one. Then, update the Jetty conf as in Step 4. You will need to obfuscate your keystore password using the org.mortbay.jetty.security.Password
class.
One more subtle steps that needs to be followed .
i.e Jetty has another file start.ini, un-comment jetty-ssl.xml line to make the SSL configuration active.
That was my bad. Didn't notice that there's jetty-ssl.xml also, that used default keystore. Moved addConnector to jetty-ssl.xml, put right passwords there, and everything works now like a charm.
One note, the eclipse version of jetty works a little differently http://www.eclipsezone.com/eclipse/forums/t88098.html
Today with jetty 9.4.34 and you'd like to use the default keystore password storepwd
and default private key password keypwd
, so that you don't have to modify the config, and you have cert/key in common PEM format...
tmpcert="/tmp/certkey$RANDOM.pkcs12" ; \
openssl pkcs12 -export -inkey "key.pem" \
-in "cert.pem" \
-passout "pass:storepwd" \
-out "$tmpcert" \
&& \
keytool -importkeystore \
-srckeystore "$tmpcert" -srcstoretype PKCS12 \
-srcstorepass storepwd \
-destkeystore "$JETTY_BASE/etc/keystore" -deststoretype JKS \
-deststorepass storepwd \
-destkeypass keypwd ; \
rm "$tmpcert"
That's all you need to import to provide SSL functionality
Because of JKS there is the
Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using ...
But it is the only possibility to set a different keypass like keypwd
for key and storepwd
for keystore.
For pkcs12 storetype this distinction is impossible (at least with keytool, there is an error on execution).
For the rest (like config modifications for own passwords, and generating own passwords) the documentation at https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html is ok.
精彩评论