How to extract from an official customer .pfx archive the proper SSL certificates and import in Jetty/UberJar?

davide.picheo · March 8, 2021, 11:24am

Hello everybody,

I need to install a production signed customer certificates for HTTPs, packaged as .pfx archive: our production deployment is based on UberJar and Jetty.

Until we used self-signed certificates, as explained in the user guide: [HTTPS configuration for UberJAR - CUBA platform. Developer’s Manual (cuba-platform.com)] (Configuring HTTPS for UberJAR - CUBA Platform. Developer’s Manual) everything went well.

Now we find very serious problems in enabling HTTPs (we cannot establish a secure connection). We are trying to populate the key store file (keystore.jks) with the certificates extracted from the archive (.crt, .key, .pem).

We’re using the latest version of the CUBA platform 7.2.11 in Centos 8 x86 64bit.

Any suggestions?

albudarov · March 17, 2021, 6:46am

Hi,
UberJar is based on Jetty.
So you have all available knowledge base of Jetty SSL configuration on the internet.

e.g.

https://www.digicert.com/kb/ssl-support/jks-import-export-java.htm

I’m guessing right now, but the most probable reason why HTTPS doesn’t work well for you - is because you forgot to include intermediate certificates in the certificate chain you supply for the Jetty.

see this link:
https://support.cloudbees.com/hc/en-us/articles/222829768-How-to-setup-HTTPS-within-Jetty-with-Intermediate-certificates-?page=52