Shibboleth - Jetty SSL Cert Renewal

SSL Cert Renewal:

  • Download up to date cert from ie.
  • Download the cert as Apache format in zip
  • Move the zip to the server
  • On the server extract and place on a separate folder as x/cert.crt and x/ca_bundle.crt
  • Look for x.key on the server. That is the private key used to sign the cert in the first place.
  • Look for the P12 key(keyStorePassword) in /opt/shibboleth-idp/jetty-base/start.d/ssl.ini
  • This will take cert.crt, x.key, ca_bundle.crt and will generate a x.p12: openssl pkcs12 -export -in cert.crt -inkey x.key -out x.p12 -name x -passout pass:PASSWORDX -CAfile ca_bundle.crt -caname sub1 -caname root -chain
  • Copy the production keystore from /opt/shibboleth-idp/jetty-base/etc/x.keystore to your …x/
  • Run this command keytool -importkeystore -deststorepass PASSWORDX -destkeypass PASSWORDX -destkeystore x.keystore -srckeystore x.p12 -srcstoretype PKCS12 -srcstorepass PASSWORDX -alias x
  • Overwrite the cert which is there
  • Backup the original files(.keystore and .p12) from production /opt/shibboleth-idp/jetty-base/etc/ after taking a fresh snapshot
  • Overwrite the files you have generated with production
  • Restart Shibboleth which will also restart Jetty with systemctl restart shibboleth-idp

SSL Cert Generating: Prepare (password-less) private key:

openssl genrsa -des3 -passout pass:1 -out domain.pass.key 2048
openssl rsa -passin pass:1 -in domain.pass.key -out domain.key
rm domain.pass.key

Prepare certificate signing request (CSR). We’ll generate this using our key. Enter relevant information when asked. Note the use of -sha256, without it, modern browsers will generate a warning.

openssl req -key domain.key -sha256 -new -out domain.csr

Prepare certificate. Pick a or b:

  • a) Sign it yourself
    openssl x509 -req -days 3650 -in domain.csr -signkey domain.key -out domain.crt
  • b) Send it to an authority

Your SSL provider will supply you with your certificate and their intermediate certificates in PEM format.

  • Pick a or b, add to trust chain and package it in PKCS12 format. First command sets a keystore password for convenience (else you’ll need to enter password a dozen times). Set a different password for safety.
    export PASS=x
  • a) Self-signed certificate (no need for intermediate certificates)
    openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name domain -passout pass:$PASS
    keytool -importkeystore -deststorepass $PASS -destkeypass $PASS -destkeystore domain.keystore -srckeystore domain.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias domain
  • b) Need to include intermediate certificates

Download intermediate certificates and concat them into one file. The order should be sub to root.

cat ca.pem > ca_chain.pem

Use a -caname parameter for each intermediate certificate in chain file, respective to the order they were put into the chain file.

openssl pkcs12 -export -in domain.crt -inkey domain.key -out domain.p12 -name domain -passout pass:$PASS -CAfile ca_chain.pem -caname sub1 -caname root -chain
keytool -importkeystore -deststorepass $PASS -destkeypass $PASS -destkeystore domain.keystore -srckeystore domain.p12 -srcstoretype PKCS12 -srcstorepass $PASS -alias domain

Important note: Although keytool -list will only list one entry and not any intermediate certificates, it will work perfectly.

Configure jetty

Pick a or b, move domain.keystore file to JETTY_HOME/etc/

  • a) You’re using new start.ini style configuration (Jetty 8+):
  • b) You’re using old style configuration with .xml files (you should upgrade to new style!): ``` Edit JETTY_HOME/etc/jetty-ssl.xml file and change the part below. Replace password parts to match your password. We don’t define KeyManagerPassword because our key has no password.
/etc/keystore x /etc/keystore x ...


Edit start.ini file to include jetty-ssl.xml file. (Re)start jetty.

Note that this keystore file can also be used with other containers like Tomcat.