Configuring SSL

It's highly recommend to install a new SSL certificate that is under your control and not use the certificate that came with the software.

Create Keystore

Create keystore with self-signed certificate

Quick and easy setup is to create a keystore with self-signed certificate. Although this not ideal as the certificate was not issued through a certificate authority and the browser will result in the browser issuing a warning due to the self-signed certificate

keytool -keystore keystore -alias bastillion-ec2 -genkey -keyalg RSA -sigalg SHA256withRSA

Import certificate into keystore

Otherwise, if you have an existing certificate / key pair or one issued from a certificate authority you can create and import into a keystore as follows.

Depending on the existing key format you may need to export as a PKCS12

openssl pkcs12 -export -inkey bastillion-ec2.key -in bastillion-ec2.crt -out bastillion-ec2.pkcs12

Create a new keystore and import the certificate and key

keytool -import keystore -srckeystore bastillion-ec2.pkcs12 -srcstoretype PKCS12 -destkeystore keystore


Configure Keystore with Jetty

Copy new keystore to jetty's etc directory

cp keystore Bastillion-EC2-jetty/jetty/etc/

Set obfuscated keystore password

To obtain the obfuscated password for the keystore (OBF), you will neeed to run the following utility

java -cp Bastillion-EC2-jetty/jetty/lib/jetty-util-X.X.X.vXXX.jar org.eclipse.jetty.util.security.Password <keystore password>

From the output, take the OBF value and set it to the default value in jetty/etc/jetty-ssl-context.xml Change the follow OBF values:

KeyStorePassword=<OBF Value>
KeyManagerPassword=<OBF Value>
TrustStorePassword=<OBF Value>

Last, edit thr OBF values in the jetty/modules/ssl.mod for

jetty.sslContext.keyStorePassword=<OBF Value>
jetty.sslContext.keyManagerPassword=<OBF Value>
jetty.sslContext.trustStorePassword=<OBF Value>

Restart Jetty and verify the new SSL Certificate is active.


More Information:

http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html