- Release Notes
- Announcements
- Price Change to DigiCert SSL Certificates
- TrustAsia Root Certificate Update
- Domain Validation Policy Update
- SSL Certificate Service Console
- Multi-Year SSL Certificate and Automatic Review
- Notice on Stopping the Issuance of 2-Year SSL Certificates by CAs Starting from September 1, 2020
- Announcement on Stop Using the Symantec SSL Certificate Name After 30 April 2020
- Notice on Certificate Revocation Due to Private Key Compromises
- Notice on Application Limits for DV SSL Certificates
- Let's Encrypt Root Certificate Expired on September 30, 2021
- Product Introduction
- Purchase Guide
- Getting Started
- Certificate Application
- Domain Ownership Validation
- Operation Guide
- Certificate Installation
- Installing an SSL Certificate on a Tencent Cloud Service
- Installation of International Standard Certificates
- Installing an SSL Certificate on an Nginx Server
- Installing an SSL Certificate on an Apache Server (Linux)
- Installing an SSL Certificate on an Apache Server (Windows)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server (Linux)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server
- Installing an SSL Certificate (PFX Format) on a Tomcat Server
- Installing an SSL Certificate on a GlassFish Server
- Installing an SSL Certificate on a JBoss Server
- Installing an SSL Certificate on a Jetty Server
- Installing an SSL Certificate on an IIS Server
- Installing a Certificate on WebLogic Servers
- Selecting an Installation Type for an SSL Certificate
- Certificate Management
- Tencent Cloud Certificate Benefit Point Package Management
- Uploading (Hosting) an SSL Certificate
- Reminding Reviewers to Review an SSL Certificate Application
- Revoking an SSL Certificate
- Deleting an SSL Certificate
- Reissuing an SSL Certificate
- Ignoring SSL Certificate Notifications
- Customizing SSL Certificate Expiration Notifications
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Certificate APIs
- CancelAuditCertificate
- CreateCertificate
- DescribeHostUpdateRecord
- DescribeHostUpdateRecordDetail
- ModifyCertificateResubmit
- UpdateCertificateInstance
- UpdateCertificateRecordRetry
- UpdateCertificateRecordRollback
- CreateCertificateBindResourceSyncTask
- DescribeCertificateBindResourceTaskDetail
- DescribeCertificateBindResourceTaskResult
- UploadConfirmLetter
- DescribeHostTeoInstanceList
- UploadCertificate
- SubmitCertificateInformation
- ReplaceCertificate
- ModifyCertificateProject
- ModifyCertificateAlias
- DownloadCertificate
- DescribeCertificates
- DescribeCertificateOperateLogs
- DescribeCertificateDetail
- DescribeCertificate
- DeleteCertificate
- CommitCertificateInformation
- CancelCertificateOrder
- ApplyCertificate
- CSR APIs
- Data Types
- Error Codes
- Best Practices
- Automatic Solution for Implementing and Issuing Multi-Year Certificates and Binding Resources
- Apple ATS Server Configuration
- Quickly Applying for a Free SSL Certificate via DNSPod
- Enabling Tencent Cloud DDNS and Installing Free Certificates for Synology NAS
- Batch Applying for and Downloading Free Certificates Using Python-based API Calls
- Profile Management
- Troubleshooting
- Domain Validation Failed
- Domain Security Review Failed
- Website Inaccessible After an SSL Certificate is Deployed
- 404 Error After the SSL Certificate is Deployed on IIS
- “Your Connection is Not Secure” is Displayed After the SSL Certificate is Installed
- Message Indicating Parsing Failure Is Displayed When a Certificate Is Uploaded
- Automatic DNS Validation Failed for a Domain Hosted with www.west.cn
- Host Name Field Cannot Be Edited in IIS Manager When Type Is Set to https
- Message Indicating Intermediate Certificates Missing in Chain Is Displayed When a Free SSL Certificate Is Deployed on IIS
- FAQs
- SSL Certificate Selection
- SSL Certificate Application
- Quota of Free SSL Certificates
- How to Fill In the Domains Bound to an SSL Certificate During the Application?
- Wildcard SSL Certificates
- Why Does the Order Status Not Changed After a Notification Email Is Received from a CA?
- Can the TXT Records for Domain Name Resolution Configured in the Certificate Be Deleted?
- What Is CSR?
- How Do I Make a CSR File?
- What Is Private Key Password?
- Forgot Your Private Key Password?
- Can an SSL Certificate Be Revoked?
- What are the differences between RSA and ECC?
- What Should I Do If the Console Prompts That "The Certificate Is Bound to Tencent Cloud Resources and Cannot Be Revoked" When I Submit an SSL Certificate Revocation Application?
- What’s the Difference Between Certificate Reissue and Reapplication?
- Which SSL Certificate Types Are Supported for Mini Programs?
- SSL Certificate Management
- SSL Certificate Installation
- What Should I Do If the Host Name Field Is Uneditable in the IIS Manager?
- How Do I Enable Port 443 for a Server?
- Why Does the Website Prompt “Connection Is Untrusted"?
- How Do I Install OpenSSL?
- How Can I Set TLS Versions for SSL Certificates?
- How Can I Combine an SSL Certificate Chain?
- Can Tencent Cloud SSL Certificates Be Used for WebSocket?
- How Do I Enable the IIS Service?
- What Should I Do If I Am Prompted That HTTPS Is Not Secure After Reapplying for Deployment upon Expiration of the SSL Certificate?
- SSL Certificate Region
- SSL Certificate Review
- SSL Certificate Taking Effect
- Is the Original SSL Certificate Still Valid After the Server IP Address Is Changed?
- How Do I Check in a Browser Whether an SSL Certificate Has Taken Effect?
- What Should I Do If GlobalSign Certificates Are Not Supported in Windows 7?
- What Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?
- SSL Certificate Billing and Purchase
- SSL Certificate Validity Period
- SSL Service Level Agreement
- Contact Us
- Glossary
- Release Notes
- Announcements
- Price Change to DigiCert SSL Certificates
- TrustAsia Root Certificate Update
- Domain Validation Policy Update
- SSL Certificate Service Console
- Multi-Year SSL Certificate and Automatic Review
- Notice on Stopping the Issuance of 2-Year SSL Certificates by CAs Starting from September 1, 2020
- Announcement on Stop Using the Symantec SSL Certificate Name After 30 April 2020
- Notice on Certificate Revocation Due to Private Key Compromises
- Notice on Application Limits for DV SSL Certificates
- Let's Encrypt Root Certificate Expired on September 30, 2021
- Product Introduction
- Purchase Guide
- Getting Started
- Certificate Application
- Domain Ownership Validation
- Operation Guide
- Certificate Installation
- Installing an SSL Certificate on a Tencent Cloud Service
- Installation of International Standard Certificates
- Installing an SSL Certificate on an Nginx Server
- Installing an SSL Certificate on an Apache Server (Linux)
- Installing an SSL Certificate on an Apache Server (Windows)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server (Linux)
- Installing an SSL Certificate (JKS Format) on a Tomcat Server
- Installing an SSL Certificate (PFX Format) on a Tomcat Server
- Installing an SSL Certificate on a GlassFish Server
- Installing an SSL Certificate on a JBoss Server
- Installing an SSL Certificate on a Jetty Server
- Installing an SSL Certificate on an IIS Server
- Installing a Certificate on WebLogic Servers
- Selecting an Installation Type for an SSL Certificate
- Certificate Management
- Tencent Cloud Certificate Benefit Point Package Management
- Uploading (Hosting) an SSL Certificate
- Reminding Reviewers to Review an SSL Certificate Application
- Revoking an SSL Certificate
- Deleting an SSL Certificate
- Reissuing an SSL Certificate
- Ignoring SSL Certificate Notifications
- Customizing SSL Certificate Expiration Notifications
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Certificate APIs
- CancelAuditCertificate
- CreateCertificate
- DescribeHostUpdateRecord
- DescribeHostUpdateRecordDetail
- ModifyCertificateResubmit
- UpdateCertificateInstance
- UpdateCertificateRecordRetry
- UpdateCertificateRecordRollback
- CreateCertificateBindResourceSyncTask
- DescribeCertificateBindResourceTaskDetail
- DescribeCertificateBindResourceTaskResult
- UploadConfirmLetter
- DescribeHostTeoInstanceList
- UploadCertificate
- SubmitCertificateInformation
- ReplaceCertificate
- ModifyCertificateProject
- ModifyCertificateAlias
- DownloadCertificate
- DescribeCertificates
- DescribeCertificateOperateLogs
- DescribeCertificateDetail
- DescribeCertificate
- DeleteCertificate
- CommitCertificateInformation
- CancelCertificateOrder
- ApplyCertificate
- CSR APIs
- Data Types
- Error Codes
- Best Practices
- Automatic Solution for Implementing and Issuing Multi-Year Certificates and Binding Resources
- Apple ATS Server Configuration
- Quickly Applying for a Free SSL Certificate via DNSPod
- Enabling Tencent Cloud DDNS and Installing Free Certificates for Synology NAS
- Batch Applying for and Downloading Free Certificates Using Python-based API Calls
- Profile Management
- Troubleshooting
- Domain Validation Failed
- Domain Security Review Failed
- Website Inaccessible After an SSL Certificate is Deployed
- 404 Error After the SSL Certificate is Deployed on IIS
- “Your Connection is Not Secure” is Displayed After the SSL Certificate is Installed
- Message Indicating Parsing Failure Is Displayed When a Certificate Is Uploaded
- Automatic DNS Validation Failed for a Domain Hosted with www.west.cn
- Host Name Field Cannot Be Edited in IIS Manager When Type Is Set to https
- Message Indicating Intermediate Certificates Missing in Chain Is Displayed When a Free SSL Certificate Is Deployed on IIS
- FAQs
- SSL Certificate Selection
- SSL Certificate Application
- Quota of Free SSL Certificates
- How to Fill In the Domains Bound to an SSL Certificate During the Application?
- Wildcard SSL Certificates
- Why Does the Order Status Not Changed After a Notification Email Is Received from a CA?
- Can the TXT Records for Domain Name Resolution Configured in the Certificate Be Deleted?
- What Is CSR?
- How Do I Make a CSR File?
- What Is Private Key Password?
- Forgot Your Private Key Password?
- Can an SSL Certificate Be Revoked?
- What are the differences between RSA and ECC?
- What Should I Do If the Console Prompts That "The Certificate Is Bound to Tencent Cloud Resources and Cannot Be Revoked" When I Submit an SSL Certificate Revocation Application?
- What’s the Difference Between Certificate Reissue and Reapplication?
- Which SSL Certificate Types Are Supported for Mini Programs?
- SSL Certificate Management
- SSL Certificate Installation
- What Should I Do If the Host Name Field Is Uneditable in the IIS Manager?
- How Do I Enable Port 443 for a Server?
- Why Does the Website Prompt “Connection Is Untrusted"?
- How Do I Install OpenSSL?
- How Can I Set TLS Versions for SSL Certificates?
- How Can I Combine an SSL Certificate Chain?
- Can Tencent Cloud SSL Certificates Be Used for WebSocket?
- How Do I Enable the IIS Service?
- What Should I Do If I Am Prompted That HTTPS Is Not Secure After Reapplying for Deployment upon Expiration of the SSL Certificate?
- SSL Certificate Region
- SSL Certificate Review
- SSL Certificate Taking Effect
- Is the Original SSL Certificate Still Valid After the Server IP Address Is Changed?
- How Do I Check in a Browser Whether an SSL Certificate Has Taken Effect?
- What Should I Do If GlobalSign Certificates Are Not Supported in Windows 7?
- What Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?
- SSL Certificate Billing and Purchase
- SSL Certificate Validity Period
- SSL Service Level Agreement
- Contact Us
- Glossary
Installing an SSL Certificate on a Jetty Server
Last updated: 2024-03-06 17:38:42
Overview
This document describes how to install an SSL certificate on a Jetty server.
Note:
The certificate name
cloud.tencent.com is used as an example.The
jetty-distribution-9.4.28.v20200408 version is used as an example.The current server OS is CentOS 7. Detailed steps vary slightly by OS.
Before you install an SSL certificate, enable port
443 on the Jetty server so that HTTPS can be enabled after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?.For detailed directions on how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Prerequisites
Install the remote file copy tool such as WinSCP. The latest official version is recommended.
We recommend that you use CVM's file upload feature for deployment to CVM.
Install the remote login tool such as PuTTY or Xshell. The latest official version is recommended.
The Jetty service has been installed and configured on the current server.
The data required to install the SSL certificate includes the following:
Name | Description |
Server IP address | IP address of the server, which is used to connect the PC to the server. |
Username | The username used to log in to the server. |
Password | The password used to log in to the server. |
Note:
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to get the server IP address, username, and password.
If you have selected the By pasting method when applying for the SSL certificate, or your certificate brand is WoTrus, the option to download the JKS certificate file is not provided. Instead, you need to manually convert the format to generate a keystore as follows:
Access the conversion tool.
Upload the certificate and private key files in the Nginx folder to the conversion tool, enter the keystore password, click Submit, and convert the certificate to a
.jks certificate.The Jetty service is installed in the
/usr/local/jetty directory.Directions
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select JKS for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the cloud.tencent.com_jks folder.Folder:
cloud.tencent.com_jksFiles in the folder:
cloud.tencent.com.jks: keystore filekeystorePass.txt: password file (if you have set a private key password, this file will not be generated)3. Remotely log in to the Jetty server. For example, you can use PuTTY for remote login.
4. In the
/usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, run the mkdir cert command to create the cert folder.5. Use WinSCP (a tool for copying files between a local computer and a remote computer) to log in to the Jetty server and copy the keystore file
cloud.tencent.com.jks from the local directory to the cert folder.Note:
For detailed directions, see Uploading files via WinSCP to a Linux CVM from Windows.
We recommend that you use CVM's file upload feature for deployment to CVM.
6. In the
/usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, modify the configuration in the jetty-ssl-context.xml file.Note:
KeyStorePath: Set the default value to the certificate path.
KeyStorePassword: Set the default value to the keystore password. If you have set a private key password when applying for the certificate, enter the private key password; otherwise, enter the password in the
keystorePass.txt file in the cloud.tencent.com_jks folder.KeyManagerPassword: Set the value to the password in the
keystorePass.txt file in the cloud.tencent.com_jks folder.TrustStorePath: Set the default value to the certificate path.
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"><!-- ============================================================= --><!-- SSL ContextFactory configuration --><!-- ============================================================= --><!--To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example athttps://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites--><Configure id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"><Set name="Provider"><Property name="jetty.sslContext.provider"/></Set><Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/cert/cloud.tencent.com.jks"/></Set><Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" deprecated="jetty.keystore.password" default="4d5jtdq238j1l"/></Set><Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set><Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set><Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="4d5jtdq238j1l"/></Set><Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/cert/cloud.tencent.com.jks"/></Set><Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password"/></Set><Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType"/></Set><Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set><Set name="EndpointIdentificationAlgorithm"><Property name="jetty.sslContext.endpointIdentificationAlgorithm"/></Set><Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set><Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" deprecated="jetty.ssl.wantClientAuth" default="false"/></Set><Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set><Set name="sslSessionCacheSize"><Property name="jetty.sslContext.sslSessionCacheSize" default="-1"/></Set><Set name="sslSessionTimeout"><Property name="jetty.sslContext.sslSessionTimeout" default="-1"/></Set><Set name="RenegotiationAllowed"><Property name="jetty.sslContext.renegotiationAllowed" default="true"/></Set><Set name="RenegotiationLimit"><Property name="jetty.sslContext.renegotiationLimit" default="5"/></Set><Set name="SniRequired"><Property name="jetty.sslContext.sniRequired" default="false"/></Set><!-- Example of how to configure a PKIX Certificate Path revocation Checker<Call id="pkixPreferCrls" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>PREFER_CRLS</Arg></Call><Call id="pkixSoftFail" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>SOFT_FAIL</Arg></Call><Call id="pkixNoFallback" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>NO_FALLBACK</Arg></Call><Call class="java.security.cert.CertPathBuilder" name="getInstance"><Arg>PKIX</Arg><Call id="pkixRevocationChecker" name="getRevocationChecker"><Call name="setOptions"><Arg><Call class="java.util.EnumSet" name="of"><Arg><Ref refid="pkixPreferCrls"/></Arg><Arg><Ref refid="pkixSoftFail"/></Arg><Arg><Ref refid="pkixNoFallback"/></Arg></Call></Arg></Call></Call></Call><Set name="PkixCertPathChecker"><Ref refid="pkixRevocationChecker"/></Set>--></Configure>
7. In the
/usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, change the port number to 443 in the jetty-ssl.xml file.<Call name="addConnector"><Arg><New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"><Arg name="server"><Ref refid="Server" /></Arg><Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecated="ssl.acceptors" default="-1"/></Arg><Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecated="ssl.selectors" default="-1"/></Arg><Arg name="factories"><Array type="org.eclipse.jetty.server.ConnectionFactory"><!-- uncomment to support proxy protocol<Item><New class="org.eclipse.jetty.server.ProxyConnectionFactory"/></Item>--></Array></Arg><Set name="host"><Property name="jetty.ssl.host" deprecated="jetty.host" /></Set><Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="443" /></Set><Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.timeout" default="30000"/></Set><Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set><Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize" default="0"/></Set><Get name="SelectorManager"><Set name="connectTimeout"><Property name="jetty.ssl.connectTimeout" default="15000"/></Set></Get></New></Arg></Call>
8. In the
/usr/local/jetty/jetty-distribution-9.4.28.v20200408 directory, add the following content to the start.ini file:etc/jetty-ssl.xmletc/jetty-ssl-context.xmletc/jetty-https.xml
9. In the Jetty root directory, run the
java -jar start.jar command to start the Jetty server and then you can access it through https://cloud.tencent.com.If the security lock icon is displayed in the browser, the certificate has been installed successfully.
In case of a website access exception, troubleshoot the issue by referring to the following FAQs:
Reminders
After the certificate is deployed, the following error message may be displayed when you access 
https://cloud.tencent.com:
ROOT file from the /usr/local/jetty/jetty-distribution-9.4.28.v20200408/demo-base/webapps directory to the /usr/local/jetty/jetty-distribution-9.4.28.v20200408/webapps directory, and then restart the Jetty server.
Yes
No
Was this page helpful?