Java keystore with Startcom Certificate

Table of Contents

startcom is a great service that you can use to get free ssl certificates. I got them in two files, one for the certificate and one for the key.

Create a keystore

In order to use it with jetty, you need both of them in the keystore. See this tutorial for a in depth look at it.

In short:

First, put the root certificate and your personal certificate into one PEM file.

cp my-certificate.pem ssl.pem
cat ca-root.pem >> ssl.pem

Then combine both files, the key and the certificates, into on pkcs12 file using openssl

openssl pkcs12 -inkey ssl.key -in ssl.pem -export -out my-domain.pkcs12

Then use the new keytool feature (from java 1.6) to convert the pkcs12 store into a java keystore:

keytool -importkeystore -srckeystore my-domain.pkcs12 -srcstoretype PKCS12 -destkeystore my-domain.ks


Now there is a valid keystore containing my new certificate. But is not listed in the trusted certs in the jre's cacerts file. For this, we need to import the ca certificates.

They can be found on the website

You can import them using keytool:

keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -alias -file ca.crt

I found a cool little script that does all this already. After you downloaded the script, make sure to replace the http URLs with https. After running this script java trusts StartCom and so the new certificate in the keystore.

Date: [2014-01-31 Fr]

Created: 2015-12-08 Di 23:21