How to use Windows Certificate Store with Jetty?

Question

I'm trying to use the Windows Certificate Store from Jetty for HTTPS communication.

After setting up a web-application on client site, it should be easier for the client to update an expired certificate in the Windows Certificate Store than having to create or update a keyStore file.

This is what I've done:

Download the latest version 9.4.26 from https://www.eclipse.org/jetty/download.html

Added the following lines in start.ini:

jetty.ssl.port=443
jetty.sslContext.keyStoreType=Windows-MY

Run as:

"jre\bin\java" -jar start.jar --module=https,deploy

And this is the error I get:

java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.eclipse.jetty.start.Main.invokeMain(Main.java:218)
        at org.eclipse.jetty.start.Main.start(Main.java:491)
        at org.eclipse.jetty.start.Main.main(Main.java:77)
Caused by: java.lang.IllegalStateException: no valid keystore
        at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)
        at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1188)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:323)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.server.Server.doStart(Server.java:385)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.xml.XmlConfiguration.lambda$main$0(XmlConfiguration.java:1888)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1837)
        ... 7 more

I also tried to add or change lines, same result:

jetty.sslContext.keyStoreType=Windows-MY
jetty.sslContext.trustStoreType=Windows-ROOT

-

jetty.sslContext.keyStoreType=Windows-ROOT

-

jetty.sslContext.keyStoreType=Windows-MY
jetty.sslContext.trustStoreType=Windows-ROOT
jetty.sslContext.keyStorePath=NONE
jetty.sslContext.trustStorePath=NONE

Answer 1

If you see the source code of Jetty, they expect some file system resource to be passed as keystore and truststore path. The following exception would come when keystore or truststore patch does not exist:

Caused by: java.lang.IllegalStateException: no valid keystore
    at rg.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:50)

However there is a trick to load Windows store. You can specify:

jetty.sslContext.keyStoreType=Windows-MY (or Windows-ROOT)

and for jetty.sslContext.keyStorePath, you can specify any dummy file path which exists on the file system (you can even create an empty txt file and give its path!). In this case, Windows Store would be loaded and the jetty side resource validation would also pass.

FYI, when you provide keystore type as Windows-MY or Windows-ROOT, it would simply ignore any file input stream (if passed) while loading the keystore. Ultimately only one keystore is loaded, i.e. Windows Store.