Generate CSR and install SSL on Jetty Java HTTPS Servlet Web Server

Eclipse Jetty provides a Web server and javax.servlet container, plus support for HTTP/2, WebSocket, OSGi, JMX, JNDI, JAAS, and many other integrations. These components are open source and available for commercial use and distribution.

Eclipse Jetty is used in a wide variety of projects and products, both in development and production. Jetty can get easily embedded in devices, tools, frameworks, application servers, and clusters.

This guide will carry you through the following steps:

1. CSR generation on Jetty Java HTTPS Servlet Web Server
2. What all you need to install SSL on Jetty Java HTTPS Servlet Web Server
3. SSL installation on Jetty Java HTTPS Servlet Web Server

1. CSR generation on Jetty Java HTTPS Servlet Web Server:

If you want to generate a CSR for Jetty Java HTTP Servlet Web Server, you need to download JDK 1.4 or higher

1. Create a certificate keystore and private key with the following command:$JAVA_HOME\bin>keytool -genkey -alias youralias -keyalg RSA -keystore yourkeystore

   Note:Replace $JAVA_HOME with the directory of your Java Install (if Windows, change directory to \Program Files\Java\[javaversionhere]\bin).

2. Specify the password (must be remembered and it should have at least 6 characters long).
3. Fill the following information:
   • What is your first and last name?
     Must match the URL that you plan to secure exactly – is usually your fully-qualified domain name (e.g., devel.ssl247.co.uk or mail.devel.ssl247.co.uk).
     Remember the www. Is important – include it if you want to secure http://www.yoursite.com & exclude it if you want to secure http://yoursite.com.
   • What is the name of your organizational unit?
     The name of your department within the organization (this is often “IT,” “Web,” or is just left blank).
   • What is the name of your organization?
     The legal (officially registered) name of your organization/company include Inc., LLP., Pvt., Plc., Ltd., SARL., etc.
   • What is the name of your City or Locality?
     The city or town in which your organization is located.
   • What is the name of your State or Province?
     The state in which your organization is located.
   • What is the two-letter country code for this unit?
     Give the official list of ISO country codes for this field.
   • Is CN=www.mydomain.com, OU=IT, O=SSL247, L=London, ST=London, C=GB correct?
     If the information is correct, type “Yes”, otherwise “No”.
4. Enter key password for youralias (RETURN if same as keystore password)
5. Create the Certificate Signing Request file with the following command:
   $JAVA_HOME\bin>keytool -certreq -keyalg RSA -alias youralias -file certreq.csr -keystore yourkeystore
   Enter the keystore password
6. The certreq.txt file will get generated.

Forward this CSR to the CA for getting the certificate issued.

2. What all you need to install SSL on Jetty Java HTTPS Servlet Web Server

What all you need?

• A server certificate is provided by your CA in pkcs7 format.
• An intermediate certificate in CRT format. You may download the same from your CA’s website.
• A root certificate in CRT formal (optional).
• Your Keystore file, which was created during the process of CSR generation.

3. SSL installation on Jetty Java HTTPS Servlet Web Server

Steps:

1. Import the SSL into Keystore file using the following command:keytool -import -alias [enter_alias_name] -trustcacerts -file
   [enter_certificate_filename].p7b -keystore [enter_keystore_name]Note: Always use the same alias name and keystore name which you used while creating the CSR.If you receive an Error Message: “java.lang.Exception: Input not an X.509 certificate”, double-check the alias/keystore name entered and the format of the certificate. You may still be using the PEM (.cer or .crt) format and not the correct PKCS#7 (.p7b) format. You may get the CRT file directly from our support team.

   In that case, you may change file type specified in the command from .p7b to .crt.

   Example: keytool -import -alias [enter_alias_name] -trustcacerts -file
   [enter_certificate_filename].crt -keystore [enter_keystore_name].

2. If the server certificate is missing with an intermediate file, you may get a partial security error while browsing your website. To resolve this, you may add your intermediate certificate into keystore file using the following command:keytool -import -alias intermediate -trustcacerts –file intermediate_file_name -keystore [enter_keystore_name]
3. You may verify the content in keystore using the following command:keytool -list -v -keystore keystorename.keystore Running the above command will list out all the certificates installed in the particular keystore.
4. Now edit the Jetty Connector with the newly created keystore and password:
   <Call name=”addConnector”>
   <Arg>
   <New class=”org.mortbay.jetty.security.SslSocketConnector”>
   <Set name=”Port”>8443</Set>
   <Set name=”maxIdleTime”>30000</Set>
   <Set name=”keystore”><SystemProperty name=”jetty.home” default=”.” />/etc/keystore</Set>
   <Set name=”password”>OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
   <Set name=”keyPassword”>OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
   <Set name=”truststore”><SystemProperty name=”jetty.home” default=”.” />/etc/keystore</Set>
   <Set name=”trustPassword”>OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
   </New>
   </Arg>
   </Call>

Once the Connector is updated, restart the services. You have installed your SSL Certificate Successfully.

If you are unable to use these instructions for your server, Acmetek recommends that you contact either the vendor of your software or the organization that supports it.