The following instructions will guide you through the SSL installation process on Jetty Java HTTP Servlet Web Server. If you have more than one server or device, you will need to install the certificate on each server or device you need to secure. If you still have not generated your certificate and completed the validation process, reference our CSR Generation Instructions and disregard the steps below.

What You’ll Need

1. Your server certificate

This is the certificate you received from the CA for your domain. You may have been sent this via email. If not, you can download it by visiting your Account Dashboard and clicking on your order.

2. Your intermediate certificates

These files allow the devices connecting to your server to identify the issuing CA. There may be more than one of these certificates. If you got your certificate in a ZIP folder, it should also contain the Intermediate certificate(s), which is sometimes referred to as a CA Bundle. If not, download the appropriate CA Bundle for your certificate.

3. Your private key

This file should be on your server, or in your possession if you generated your CSR from a free generator tool. On certain platforms, such as Microsoft IIS, the private key is not immediately visible to you but the server is keeping track of it.

Installation Instructions

1. Convert your certificate files

You can easily convert your PEM (.cer or .crt) to PKCS#7 (.p7b) Format using our free SSL Converter tool.

1. Select PEM as your Current type.
2. Select P7B as your Change for.
3. Upload Your Server Certificate.
4. Upload Root CA Certificate. Note: This file is usually pre-installed on your server or device. You can always install it again to ensure the correct certificate chain is built.
5. Upload Your Intermediate Certificates. Note: If you have two intermediate files, upload the second intermediate file as the Root CA Certificate. This will allow you to still build the correct certificate chain since the Root should be pre-installed on your server or device.
6. Click Convert and Save on your server or device.

2. Import the certificate

Once your certificate is in PKCS#7 (.p7b) Format, you’ll need to add the certificate file to your keystore by running the following command:

keytool -import -alias [enter_alias_name]  -trustcacerts -file
[enter_certificate_filename].p7b -keystore  [enter_keystore_name]

Note 1: Enter the same alias name and keystore name that was used when generating the private key and Certificate Signing Request (CSR).

Note 2: If you receive Error Message: “java.lang.Exception: Input not an X.509 certificate”, double-check the alias/keystore name entered and the format of the certificate. You may still be using the PEM (.cer or .crt) format and not the correct PKCS#7 (.p7b) format.

Congratulations! You’ve successfully installed your SSL certificate! To check your work, visit the website in your browser at https://yourdomain.tld and view the certificate/site information to see if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.

To check your server’s configurations more thoroughly, use our SSL Checker Tool or contact our Customer Experience Department for additional assistance.

How to Fix “certificatessxception: Input not an X.509 certificate” Error

If you receive the error message “certificatessxception: Input not an X.509 certificate”, please follow these alternative Installation Instructions below:

1. Import the intermediate certificate

Using the PEM (.cer or .crt) formatted certificate, import the Intermediate Certificate into your keystore by running the following command:

keytool -import -alias intermediate  -trustcacerts -file
 intermediate_file_name -keystore [enter_keystore_name]

2. Import the server certificate

Using the PEM (.cer or .crt) formatted certificate, import Your Server Certificate into your keystore by running the following command:

keytool  -import -alias [enter_alias_name] -trustcacerts -file
 server_certificate_file_name  -keystore [enter_keystore_name]

3. Verify the keystore contents

Verify the Contents of the keystore by running the following command:

keytool -list -v -keystore  your_keystore_filename  >output_filename.txt

4. Enter your password

Enter your keystore password.

5. View the Output File

View the Output File.Note: Your Server Certificate will be imported into the alias by the “Entry Type” of the specified “PrivateKeyEntry”.

6. Edit the Jetty Connector

Edit the Jetty Connector to point to the keystore and password:

<Call name="addConnector">
  <Arg>
  <New class="org.mortbay.jetty.security.SslSocketConnector">
  <Set name="Port">8443</Set>
  <Set name="maxIdleTime">30000</Set>
  <Set name="keystore"><SystemProperty name="jetty.home"  default="." />/etc/keystore</Set>
  <Set name="password">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
  <Set name="keyPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
  <Set name="truststore"><SystemProperty name="jetty.home"  default="." />/etc/keystore</Set>
  <Set name="trustPassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
  </New>
  </Arg>
  </Call>

Note 1: Reference Jetty Configuring Setting for a correct configuration. This Jetty Configuration documentation will also address how to set your SSL/HTTPS Ports and redirect HTTP to HTTPS.

Congratulations! You’ve successfully installed your SSL certificate! To check your work, visit the website in your browser at https://yourdomain.tld and view the certificate/site information to see if HTTPS/SSL is working properly. Remember, you may need to restart your server for changes to take effect.