Smart Tech for a better Web

Installing Comodo PositiveSSL on Jetty


I usually buy Comodo Certificates from It was always a pain to get it running because the information found on Comodos website are extremely outdated. So painful it is, their certificates are pretty cheap. That said this is probably the last time I'll use them because it took me way too much time. If you are in pain to, here is some help.

First, if you are looking for UTNAddTrustServerCA.crt which is described here, I have some news for you. Almost hidden, I found the new necessary hierarchy. It shows clearly that this file is not longer necessary, even when stated on Comodos websites. Once you know that, everything is much more easier.

Let's start. Create a new certification request (CSR).

openssl req -new -nodes -keyout jetty.key -out jetty.csr -newkey rsa:4096
openssl req -new -x509 -key jetty.key -out jetty.crt

Order a new certificate from PSW and wait until you receive it. You need to authenticate the first time.

Download AddTrustExternalRoot and PositiveSSL CA2 from Comodos website.(The URL is not longer working). From PSW you'll get another Zip-File with your certificate. Put them all into one directory and create a cert chain.

cat www_yourdomain_de.crt PositiveSSLCA2.crt AddTrustExternalCARoot.crt > cert-chain.txt

For jetty and Java keystore you'll need to create a pcks12 file. It's done like that:

openssl pkcs12 -export -inkey jetty.key -in cert-chain.txt -out jetty.pkcs12

Upload this magic to your server (using SSH of course) and import it to your keystore.

keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore mykeystore

Now that this is done, you just need to tell Jetty to use this keystore. I used this configuration in /etc/jetty.xml.

<Call name="addConnector">
   <New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
      <New class="org.eclipse.jetty.http.ssl.SslContextFactory">
         <Set name="keyStore">/path/to/mykeystore</Set>
         <Set name="keyStorePassword">OBF:encryptedpass</Set>
         <Set name="keyManagerPassword">OBF:encryptedpass</Set>
         <Set name="trustStorePassword">OBF:encryptedpass</Set>
   <Set name="port">8443</Set>
   <Set name="maxIdleTime">30000</Set>

On restart, your keystore should be used. Don't forget to create Virtual Host names in your context.

That said, my pain with Comodo clearly has nothing to do with They are a reseller and so far I made great experiences with them. Check them out if you are in need of something SSL related. They work international to my knowledge.

Two more references: Jetty How-To SSL and Oracle Keytool.

Tags: #Administration #Jetty #Security #SSL