All Products
Search

This Product

    Certificate Management Service:Install SSL certificates on Jetty servers

    Document Center

    Certificate Management Service:Install SSL certificates on Jetty servers

    Last Updated:Feb 25, 2025

    You can install SSL certificates on Jetty servers to enable HTTPS-based access to web services that are deployed on the servers. This topic describes how to install an SSL certificate on a Jetty server.

    Important

    In this topic, a Jetty server that runs a Linux operating system and is deployed based on jetty-distribution-9.4.51.v20230217 is used as an example to illustrate the installation. Installation operations vary based on the versions of servers and operating systems. If you have questions, contact your account manager.

    Prerequisites

    • A certificate is issued by using the Certificate Management Service console. For more information, see Purchase SSL certificates and Apply for a certificate.

    • Domain Name System (DNS) resolution is complete on the domain name that is bound to the certificate. The domain name is correctly resolved to an IP address. You can use the DNS verification tool to check whether the DNS record of the domain name takes effect. To use the tool, log on to the Certificate Management Service console, and choose Common Certificate Tools > Verify DNS Settings in the left-side navigation pane. For more information, see Verify the DNS record of your domain name.

    • Port 443 is enabled on your web server. Port 443 is the standard port used for HTTPS communication.

      • If you use an Alibaba Cloud Elastic Compute Service (ECS) instance, make sure that an inbound security group rule is configured to allow TCP access on port 443. For more information, see Add a security group rule.

      • If you use a third-party cloud server or an on-premises server, make sure that port 443 is enabled for a firewall or security group to allow TCP access.

    • If you want to deploy the website on which your certificate is installed to a server located in the Chinese mainland, you must complete an Internet Content Provider (ICP) filing for the domain name bound to the certificate as required by the Ministry of Industry and Information Technology (MIIT). Otherwise, the website cannot be accessed as expected. For more information, see What is an ICP filing?

    Step 1: Download the certificate

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

    3. On the SSL Certificate Management page, find the certificate that you want to manage, click More in the Actions column. On the page that appears, click the Download tab.

    4. Find JKS in the Server Type column and click Download in the Actions column.

    5. Decompress the downloaded certificate package.

      The following table describes the files that you can extract from the package. The files vary based on the certificate signing request (CSR) generation method that you use when you submit the certificate application.in

      Value of the CSR Generation parameter

      File extracted from the certificate package

      Automatic

      • Certificate file in the JKS format: By default, the certificate file is named in the Certificate ID_Domain name bound to the certificate format.

      • Password file in the TXT format: By default, the password file is named in the Certificate format-password format.

        Important

        A new password file is generated each time you download a certificate. The password is valid only for the downloaded certificate.

      Manual

      • If you specify a CSR that is created in the Certificate Management Service console, the certificate file that is extracted from the downloaded certificate package is the same as the certificate file that is obtained in scenarios when you set the CSR Generation parameter to Automatic.

      • If you specify a CSR that is not created in the Certificate Management Service console, only the PEM certificate file can be extracted from the downloaded certificate package. The password file or private key file cannot be extracted. You can use the certificate toolkit to convert your certificate file, password file, or private key file to the required format. For more information about how to convert certificate formats, see Convert the format of a certificate.

    Step 2: Install the certificate on the Jetty server

    1. Create a cert directory in the installation directory of Jetty to store the certificate.

      1. Run the following command to go to the Jetty installation directory: 

        cd /usr/local/jetty # Specify a value based on the actual installation directory of Jetty.

      2. Run the following command to create the cert directory: 

        mkdir cert # Create a directory named cert.

    2. Upload the certificate file to the cert directory.

      Note

      You can upload the file by using the file upload feature of a remote logon tool, such as PuTTY, Xshell, and WinSCP. For more information about how to upload a file to an Alibaba Cloud Elastic Compute Service (ECS) instance, see Use Remote Desktop Connection or Windows App to transfer files to a Windows instance or Upload a file to a Linux instance.

    3. Open the jetty-ssl.xml and jetty-ssl-context.xml configuration files of Jetty to modify certificate-related settings.

      1. Run the following command to open the jetty-ssl-context.xml configuration file: 

        vim /usr/local/jetty/etc/jetty-ssl-context.xml

      2. In the jetty-ssl-context.xml configuration file, find the following parameters and modify the settings based on the comments.

        Note

        In earlier versions of Jetty, certificate-related parameters may be stored in the jetty-ssl.xml configuration file.

        image.png

        <!-- The configuration of the certificate file. Replace cert/domain_name.jks with the actual path to your certificate file. -->
<Set name="KeyStorePath">
    <Property name="jetty.sslContext.keyStoreAbsolutePath">
      <Default>
        <Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="cert/domain_name.jks"/>
      </Default>
    </Property>
  </Set>
  
  <!-- The configuration of the certificate password. Set the default parameter to the password that is included in your jks-password.txt file. -->
  <Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" deprecated="jetty.keystore.password" default="zf****c4"/></Set>
  
  <!-- The configuration of the certificate keystore type. Set the default parameter to the type of the certificate keystore that is used. If the certificate is in the JKS format, set the default parameter to JKS. -->
  <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set>
  <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set>
  
  <!-- Set the default parameter to the password that is included in your jks-password.txt file. -->
  <Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="zf****c4"/></Set>
  
  <!-- Replace cert/domain_name.jks with the actual path to your certificate file. -->
  <Set name="TrustStorePath">
    <Property name="jetty.sslContext.trustStoreAbsolutePath">
      <Default>
        <Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="cert/domain_name.jks"/>
      </Default>
    </Property>
  </Set>
  <!-- Optional. Specify Transport Layer Security (TLS) protocol-supported cipher suites. You can determine whether to specify the cipher suites based on your business requirements. -->
  <Set name="ExcludeCipherSuites">
    <Array type="String">
      <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
      <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
      <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
      <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
    </Array>
  </Set>

      3. In the jetty-ssl.xml configuration file, find the following parameters and change the port used by the HTTPS service to 443.

        Note

        In earlier versions of Jetty, the settings of the HTTPS service port may be stored in the jetty-https.xml file. 

         <Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="443" /></Set>

    4. Open the start.ini file in the Jetty installation directory and append the following content to the file: 

      etc/jetty-ssl.xml
etc/jetty-ssl-context.xml
etc/jetty-https.xml

    5. In the Jetty installation directory, run the following command to restart the Jetty service: 

      ./bin/jetty.sh restart

    Step 3: Check whether the certificate is installed

    After you install a certificate, you can access the domain name that is bound to the certificate to verify whether the certificate is installed. 

    https://yourdomain   # Replace yourdomain with the domain name that is bound to your certificate.

    If a lock icon appears in the address bar, the certificate is installed.

    image.png

    Note

    If Error 404 is reported, no web applications are deployed on the Jetty server. The error does not indicate that the Jetty server is not started.

    References