Try following the FAQ , starting at step 3, and see if that works for you...
----- Original Message -----
From: "Mark Campbell" <mark@...>
Sent: Wednesday, June 23, 2004 12:39 AM
Subject: [Jetty-support] Importing a signed passwordless SSL Crt
> > Ummm, three questions:
> > 1) Why are you avoiding passwords?
> I'm not avoiding passwords, I just happen to have a certificate for the host
> which has a password-less key. A perk is that I don't have to enter in the
> password to start my Apache webserver, but this is not the point, all our
> certs have passwordless keys, the data we transmit simply needs to be
> encrypted not ultra secure.
> > 2) Why are you going via PKCS12? Jetty can use the same keystore as Apache
> > (yes, maybe even the same physical file!).
> I was just following the doc tbh. My Apache doesn't use a key store, I simply
> have two lines in my apache.conf file:
> SSLCertificateFile /usr/local/apache2/conf/ssl.crt/monitor.crt
> SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/monitor.key
> > 3) Is Jetty serving SSL directly?
> > The password is an attribute of the keystore, _not_ of the certificate
> > itself.
> Yep, that's cool.. I don't mind putting a password on my keystore, that's not
> the problem.
> > Certificates do not have passwords.
> > However, all its contents are encrypted - and the keystore password is used
> > decrypt the contents to 'open' the keystore. Inside could be many
> > public/private key pairs, with their associated public certificates. The
> > private keys _should_ be protected, and are individually encrypted using
> > own, individual passwords. If there are two or more private keys in a store,
> > they _must_ have distinct passwords.
> I'm just looking for a keystore with the above two files and some way to get
> jetty to extract them and transmit the data encrypted, and from my bosses POV
> get rid of the invalid cert messages.
> > I've never myself tried having an empty password - it just seems so wrong
> > to protect your private key - and there may well be code in Jetty/Java which
> > _requires_ the password to be non-empty/non-null.
> my private key is protected by the file system (being read only) and I assume
> you can configure Jetty not to serve .crt files like I have my Apache setup to
> > My recommendation would be to use the keytool to set keystore passwords for
> > your original keystore and the specific key/certificate (which could be the
> > password), and then just configure Jetty to use that keystore (see the Jetty
> > FAQ for details). No need to export and import.
> tbh I don't get what you mean here.
> My situation really is this, I have one .key file, one .crt file and all I
> want is Jetty to use the key and the cert to sign the pages..
> > If there is some reason why you _cannot_ then configure Apache to use that
> > same password-protected keystore, then I suppoose you could just take a
> > of the keystore (just a normal file copy operation - no messing about with
> > exports and imports) and remove the passwords from that copy.
> I can keep them totally seperate, in fact I plan to, in this project jetty is
> completely seperate to Apache, the only reason I have Apache at all is to
> redirect requests to port 80 or 443 (I know a task which can be acomplished
> about ten other ways) and to test that my cert is valid, which it is.
> > Note that, as far as Jetty configuration is concerned, the keystore is just
> > another file. It can be called anything and placed anywhere - just so long
> > Jetty's SSLListener is configured to find it and to be able to open it and
> > identify the required private key by using the two (possibly identical)
> > passwords.
> > HOWEVER The above instructions are to get Jetty serving SSL directly, from
> > own port.
> So who can I just add the .crt and the .key to the store and config jetty to
> get them out correctly?
> > I myself know nothing about mod_ssl, so I don't know how the above would
> > change you are fronting Jetty with Apache with a mod_ssl link, or how / why
> > even if!) the Jetty certificate is used in this situation.
> As mentioned above the problems I'm having have nothing to do with Apache, I
> would having the same issues if Apache was not even installed on the machine.
> Thanks in advance of any help on this issue, I'm out of my waters with the use
> of keystore merging these two files, and the XML config explaining how to get
> them out.
> Mark Campbell <mark_campbell@...>
> "Trying is the first step towards Failure"- Homer J. Simpson
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 -
> digital self defense, top technical experts, no vendor pitches,
> unmatched networking opportunities. Visit http://www.blackhat.com
> Jetty-support mailing list