开发者

Keystore password for Jetty 7.0 SSL configuration

Trying to setup SSL on jetty 7.2.2 using these instructions: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL

stuck on 3b: keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore $JETTY_HOME/etc/keystore

jetty ships with default keystore at $JETTY_HOME/etc/keystore开发者_StackOverflow. I'm asked for password when running that command. I don't know default keystore password.

If I try to replace that keystore with newly created one - I'm getting IOException on jetty startup - keystore is tampered with or password incorrect.

What I'm doing wrong? Or what's default keystore jetty password?


The default password for the keystore that is shipped with jetty is storepwd. But I would highly recommend you follow the steps listed in the How to configure SSL and create your own keystore.


I think you just want to overwrite the keystore in etc/keystore with your new one. Then, update the Jetty conf as in Step 4. You will need to obfuscate your keystore password using the org.mortbay.jetty.security.Password class.


One more subtle steps that needs to be followed .

i.e Jetty has another file start.ini, un-comment jetty-ssl.xml line to make the SSL configuration active.


That was my bad. Didn't notice that there's jetty-ssl.xml also, that used default keystore. Moved addConnector to jetty-ssl.xml, put right passwords there, and everything works now like a charm.


One note, the eclipse version of jetty works a little differently http://www.eclipsezone.com/eclipse/forums/t88098.html


Today with jetty 9.4.34 and you'd like to use the default keystore password storepwd and default private key password keypwd, so that you don't have to modify the config, and you have cert/key in common PEM format...

tmpcert="/tmp/certkey$RANDOM.pkcs12" ; \
openssl pkcs12 -export -inkey "key.pem" \
        -in "cert.pem" \
        -passout "pass:storepwd" \
        -out "$tmpcert" \
&& \
keytool -importkeystore \
        -srckeystore "$tmpcert" -srcstoretype PKCS12 \
        -srcstorepass storepwd \
        -destkeystore "$JETTY_BASE/etc/keystore" -deststoretype JKS \
        -deststorepass storepwd \
        -destkeypass keypwd ; \
rm "$tmpcert"

That's all you need to import to provide SSL functionality

Because of JKS there is the

Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using ...

But it is the only possibility to set a different keypass like keypwd for key and storepwd for keystore.
For pkcs12 storetype this distinction is impossible (at least with keytool, there is an error on execution).

For the rest (like config modifications for own passwords, and generating own passwords) the documentation at https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html is ok.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜