How to import the custom SSL certificate inside jetty application?

Support
#1

Hello Team,

I have created a custom certificate signed by global CA(Godaddy) I need suggestion how to import that certificate exactly?

I have tried the following ways but failed (the webpage doesn’t open):

1st: Importing the cert: Cert contains the private key as well

keytool -importcert  -file ../SSL_GoDaddy_Certs/main.crt -keystore mykeystore -alias jettycert -storepass 123456

the output is:

keytool -list -v -keystore mykeystore 
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: jettycert
Creation date: Feb 6, 2019
Entry type: trustedCertEntry

Owner: CN=transskills.com, O=Trans Skills Employment Services L.L.C L.L.C., L=Abu Dhabi, C=AE
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: ba903f00ef1016b2
Valid from: Wed Jan 30 18:31:01 GST 2019 until: Thu Jan 30 18:31:01 GST 2020
Certificate fingerprints:
	 MD5:  BF:C3:2B:84:B9:C8:3B:52:87:77:C3:89:7F:03:9F:7C
	 SHA1: 31:7B:8E:84:5C:B0:CA:8A:71:D1:61:96:4C:90:61:07:2E:E5:BE:89
	 SHA256: C1:E5:55:4F:FE:97:F8:6B:AC:75:E6:98:FA:6D:6C:01:DE:18:F9:B4:02:D8:85:19:CD:9C:E5:AD:E9:DC:D8:85
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 81 F2 00 F0 00 77 00   A4 B9 09 90 B4 18 58 14  ......w.......X.
0010: 87 BB 13 A2 CC 67 70 0A   3C 35 98 04 F9 1B DF B8  .....gp.<5......
0020: E3 77 CD 0E C8 0D DC 10   00 00 01 68 9F 2B 9D C0  .w.........h.+..
0030: 00 00 04 03 00 48 30 46   02 21 00 C9 34 18 16 58  .....H0F.!..4..X
0040: 1F EC FF DD 6B 55 F8 94   AB A6 01 B1 F9 0D 1C C3  ....kU..........
0050: 4B E4 B7 1F B9 3F 8D F7   9E BB 85 02 21 00 C2 2E  K....?......!...
0060: 72 22 8B 51 53 A1 CE 47   CB F3 EE BE 5A 8B 20 29  r".QS..G....Z. )
0070: 13 25 D5 86 DA FF 87 91   6C 7B 64 4A 6E 67 00 75  .%......l.dJng.u
0080: 00 5E A7 73 F9 DF 56 C0   E7 B5 36 48 7D D0 49 E0  .^.s..V...6H..I.
0090: 32 7A 91 9A 0C 84 A1 12   12 84 18 75 96 81 71 45  2z.........u..qE
00A0: 58 00 00 01 68 9F 2B 9F   AC 00 00 04 03 00 46 30  X...h.+.......F0
00B0: 44 02 20 77 AD 85 FD A3   3A 8D 02 66 C9 70 FC 50  D. w....:..f.p.P
00C0: 3E 03 52 2B 79 49 A7 4A   41 D5 E8 86 AF 73 81 AD  >.R+yI.JA....s..
00D0: 38 3A DE 02 20 69 92 44   5D 28 6A E3 A8 38 2A 5E  8:.. i.D](j..8*^
00E0: FD 79 9C 05 80 B2 7E D1   FB 7F 14 6B 8C B6 B5 76  .y.........k...v
00F0: 55 4F 81 00 8F                                     UO...


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdig2s2-13.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114413.1.7.23.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69  .+http://certifi
0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F  cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F           m/repository/

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  2.16.840.1.113741.1.2.3
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: transskills.com
  DNSName: www.transskills.com
]

#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FB 93 52 9F 74 A3 4E F5   D5 2E 45 98 BE 34 3B 65  ..R.t.N...E..4;e
0010: 39 E2 AE F1                                        9...
]
]



*******************************************
*******************************************

2nd: Imported the CA and cert both in keystore.

 keytool -import -keystore keystore -file CA.crt  -alias CARoot
 keytool -import -keystore keystore -file clientcert.crt -alias jetty

3rd:
I created a self-signed certificate that worked fine as following:

tghonamy@tghonamyubuntu18041:~/docker$ keytool -keystore keystore.jks -alias jetty -genkey -keyalg RSA
Enter keystore password:  
What is your first and last name?
  [Unknown]:  tarek ghonamy
What is the name of your organizational unit?
  [Unknown]:  app
What is the name of your organization?
  [Unknown]:  myorg
What is the name of your City or Locality?
  [Unknown]:  Dubai
What is the name of your State or Province?
  [Unknown]:  Dubai
What is the two-letter country code for this unit?
  [Unknown]:  AE
Is CN=tarek ghonamy, OU=app, O=myorg, L=Dubai, ST=Dubai, C=AE correct?
  [no]:  yes

Enter key password for <jetty>
	(RETURN if same as keystore password):  

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".
tghonamy@tghonamyubuntu18041:~/docker$ keytool -list -v -keystore keystore.jks 
Enter keystore password:  
Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: jetty
Creation date: Feb 6, 2019
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=tarek ghonamy, OU=app, O=myorg, L=Dubai, ST=Dubai, C=AE
Issuer: CN=tarek ghonamy, OU=app, O=myorg, L=Dubai, ST=Dubai, C=AE
Serial number: 4272955f
Valid from: Wed Feb 06 20:09:02 GST 2019 until: Tue May 07 20:09:02 GST 2019
Certificate fingerprints:
	 MD5:  B7:AC:9A:0A:1B:67:B5:27:70:54:01:3E:FB:91:7B:63
	 SHA1: B2:08:9A:9F:88:38:BB:63:1E:D0:2A:4D:C1:9D:38:A9:18:02:EA:36
	 SHA256: 41:E6:50:D4:D7:B2:FF:E4:B9:95:C3:3B:7A:97:23:9B:4C:24:D3:1D:04:D4:9F:6E:0C:B4:36:AA:2B:70:06:15
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 94 1B 5C 97 C8 E6 79 DB   B2 D2 22 EB B8 5D 86 9E  ..\...y..."..]..
0010: AD A9 78 D7                                        ..x.
]
]



*******************************************
*******************************************


Alias name: jettycert
Creation date: Feb 6, 2019
Entry type: trustedCertEntry

Owner: CN=transskills.com, O=Trans Skills Employment Services L.L.C L.L.C., L=Abu Dhabi, C=AE
Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
Serial number: ba903f00ef1016b2
Valid from: Wed Jan 30 18:31:01 GST 2019 until: Thu Jan 30 18:31:01 GST 2020
Certificate fingerprints:
	 MD5:  BF:C3:2B:84:B9:C8:3B:52:87:77:C3:89:7F:03:9F:7C
	 SHA1: 31:7B:8E:84:5C:B0:CA:8A:71:D1:61:96:4C:90:61:07:2E:E5:BE:89
	 SHA256: C1:E5:55:4F:FE:97:F8:6B:AC:75:E6:98:FA:6D:6C:01:DE:18:F9:B4:02:D8:85:19:CD:9C:E5:AD:E9:DC:D8:85
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
0000: 04 81 F2 00 F0 00 77 00   A4 B9 09 90 B4 18 58 14  ......w.......X.
0010: 87 BB 13 A2 CC 67 70 0A   3C 35 98 04 F9 1B DF B8  .....gp.<5......
0020: E3 77 CD 0E C8 0D DC 10   00 00 01 68 9F 2B 9D C0  .w.........h.+..
0030: 00 00 04 03 00 48 30 46   02 21 00 C9 34 18 16 58  .....H0F.!..4..X
0040: 1F EC FF DD 6B 55 F8 94   AB A6 01 B1 F9 0D 1C C3  ....kU..........
0050: 4B E4 B7 1F B9 3F 8D F7   9E BB 85 02 21 00 C2 2E  K....?......!...
0060: 72 22 8B 51 53 A1 CE 47   CB F3 EE BE 5A 8B 20 29  r".QS..G....Z. )
0070: 13 25 D5 86 DA FF 87 91   6C 7B 64 4A 6E 67 00 75  .%......l.dJng.u
0080: 00 5E A7 73 F9 DF 56 C0   E7 B5 36 48 7D D0 49 E0  .^.s..V...6H..I.
0090: 32 7A 91 9A 0C 84 A1 12   12 84 18 75 96 81 71 45  2z.........u..qE
00A0: 58 00 00 01 68 9F 2B 9F   AC 00 00 04 03 00 46 30  X...h.+.......F0
00B0: 44 02 20 77 AD 85 FD A3   3A 8D 02 66 C9 70 FC 50  D. w....:..f.p.P
00C0: 3E 03 52 2B 79 49 A7 4A   41 D5 E8 86 AF 73 81 AD  >.R+yI.JA....s..
00D0: 38 3A DE 02 20 69 92 44   5D 28 6A E3 A8 38 2A 5E  8:.. i.D](j..8*^
00E0: FD 79 9C 05 80 B2 7E D1   FB 7F 14 6B 8C B6 B5 76  .y.........k...v
00F0: 55 4F 81 00 8F                                     UO...


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://certificates.godaddy.com/repository/gdig2.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE                                        .,..
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.godaddy.com/gdig2s2-13.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114413.1.7.23.2]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69  .+http://certifi
0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F  cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F           m/repository/

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
  2.16.840.1.113741.1.2.3
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: transskills.com
  DNSName: www.transskills.com
]

#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FB 93 52 9F 74 A3 4E F5   D5 2E 45 98 BE 34 3B 65  ..R.t.N...E..4;e
0010: 39 E2 AE F1                                        9...
]
]



*******************************************
*******************************************



Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.jks -deststoretype pkcs12".

Suggest the correct way to implement with the godaddy signed certificate to work on the uberjar jetty application deployment

#2

Have you tried to follow the documentation:

https://doc.cuba-platform.com/manual-6.10/uberjar_https.html

It worked for me

#3

Hi Torben,

yes, i tried it in my 3rd trial, it worked for me as well, but it creates a self-signed certificate that will always shows a warning in any browser, my problem is how to import to UberJar Jetty application server a certificate signed by CA -in my case godaddy-.

Hope anyone can assist with this.

#4

I used “KeyStore Explorer” to create the keystore.jks for the UberJar deployment. This tool can also verify that your certificate is actually valid.

If you end up with a self signed certificate, then I assume it must be the procedure for creation of the keystore.jks file which is not correct - Jetty and UberJar has nothing to do with error.