Given certificates from a certificate authority, we are using the following script to create keystores for Jetty:

#! /bin/bash

if [ $# -ne 5 ]; then
   echo "Syntax: createKeystoreFromCertificates <key file> <certificate> <intermediate certificate> <keystore>"
   exit 1
CHAIN_FILE=$(mktemp tmpXXXXXX.chain)
PKCS_FILE=$(mktemp tmpXXXXXX.pkcs12)

openssl pkcs12 -export -inkey $KEY_FILE -in $CHAIN_FILE -out $PKCS_FILE -passout pass:A
echo "Type 'A' for the first password"

# The alias "mykey" works fine for jetty - probably also "jetty" does as it is used in the documentation, but we didn't try.
keytool -keystore $KEYSTORE_FILE -changealias -alias 1 -destalias mykey

  • Both certificates have to be in PEM format which is an ASCII format.
  • If the authorization authority is QuoVadis the intermediate certificate is probably the one which can be downloaded from here.
  • As of Jetty version 6.1.7, the PKCS12Import class is broken, so you need to use a current snapshot of 6.1 from
  • Since JDK 1.6 also keytool can be used instead of the PKCS12Import class. Syntax:

    keytool -importkeystore -srckeystore $PKCS_FILE -srcstoretype PKCS12 -destkeystore $KEYSTORE_FILE

    The first password you will be asked for is the keystore password (with verification) to create the keystore. For the second password request the password used by openssl (i.e. 'A') should be entered and the last password request type again the keystore password. The keystore password has to be the password found in jetty.xml (often 'changeit').

  • In order to check that the key in the keystore has a certificate chain of length 2 run the following command:

    keytool -v -keystore <keystore file> -list