DevOps Zone is brought to you in partnership with:

Christian is a dedicated Open Source developer and Entrepreneur. Currently he works a lot for the Apache Software Foundation. Besides he loves efficient working and regularly shares his thoughts on his blog, mostly tagged with "Zen Programming". Christian is a DZone MVB and is not an employee of DZone and has posted 13 posts at DZone. You can read more from them at their website. View Full User Profile

Installing Comodo PositiveSSL on Jetty

  • submit to reddit

I usually buy Comodo Certificates from It was always a pain to get it running because the information found on Comodos website are extremely outdated. So painful it is, their certificates are pretty cheap. That said this is probably the last time I’ll use them because it took me way too much time. If you are in pain too, here is some help.

First, if you are looking for UTNAddTrustServerCA.crt which is described here, I have some news for you. Almost hidden, I found the new necessary hierarchy. It shows clearly that this file is not longer necessary, even when stated on Comodos websites. Once you know that, everything is much more easier.

Let’s start. Create a new certification request (CSR).

openssl req -new -nodes -keyout jetty.key -out jetty.csr -newkey rsa:4096
openssl req -new -x509 -key jetty.key -out

Order a new certificate from PSW and wait until you receive it. You need to authenticate the first time.

Download AddTrustExternalRoot and PositiveSSL CA2 from Comodos website. From PSW you’ll get another Zip-File with your certificate. Put them all into one directory and create a cert chain.

cat www_yourdomain_de.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cert-chain.txt

For jetty and Java keystore you’ll need to create a pcks12 file. It’s done like that:

openssl pkcs12 -export -inkey jetty.key -in cert-chain.txt -out jetty.pkcs12

Upload this magic to your server (using SSH of course) and import it to your keystore.

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore mykeystore

Now that this is done, you just need to tell Jetty to use this keystore. I used this configuration in /etc/jetty.xml.

<Call name="addConnector">
   <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
      <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
         <Set name="keyStore">/path/to/mykeystore</Set>
         <Set name="keyStorePassword">OBF:encryptedpass</Set>
         <Set name="keyManagerPassword">OBF:encryptedpass</Set>
         <Set name="trustStorePassword">OBF:encryptedpass</Set>
   <Set name="port">8443</Set>
   <Set name="maxIdleTime">30000</Set>

On restart, your keystore should be used. Don’t forget to create Virtual Host names in your context.

That said, my pain with Comodo clearly has nothing to do with They are a reseller and so far I made great experiences with them. Check them out if you are in need of something SSL related. They work international to my knowledge.

Two more references: Jetty How-To SSL and Oracle Keytool.

Published at DZone with permission of Christian Grobmeier, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)