I have to migrate from apache2 httpd to a (java based) vert.x 3 server. An apache2 httpd could successfully be configured using the following three certificate / key files in ssl.conf (shortened paths):
www.mydomain.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate
is unknown. The server might not be sending the appropriate
An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER
Vert.x SSL configuration can done using either java
keystores or using
OpenSSL. They both have pros and cons, however if you are migrating from
Vert.x the shortest path would be using the
In order to use the
OpenSSL engine you will need one extra dependency in your project:
<dependency> <groupId>io.netty</groupId> <artifactId>netty-tcnative-boringssl-static</artifactId> <version>1.1.33.Fork21</version> </dependency>
This will allow
Netty to use OpenSSL or more exactly
BoringSSL and therefore use the existing certificates. Loading certificates is done by creating a
HttpOptions object like this:
new HttpServerOptions() .setSsl(true) .setPemKeyCertOptions( new PemKeyCertOptions() .setKeyPath("privatekey.key") .setCertPath("certificate.cer")));
Key store options configuration expects a private key and its certificate based on Privacy-enhanced Electronic Email (PEM) files.
The key file must contain a non encrypted private key in PKCS8 format wrapped in a PEM block, for example:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV6zPk5WqLwS0a ... K5xBhtm1AhdnZjx5KfW3BecE -----END PRIVATE KEY-----
The certificate file must contain an X.509 certificate wrapped in a PEM block, for example:
-----BEGIN CERTIFICATE----- MIIDezCCAmOgAwIBAgIEZOI/3TANBgkqhkiG9w0BAQsFADBuMRAwDgYDVQQGEwdV ... +tmLSvYS39O2nqIzzAUfztkYnUlZmB0l/mKkVqbGJA== -----END CERTIFICATE-----
There is no real support for certificate chains but you could work around it (if you have a public facing site) by visiting: https://whatsmychaincert.com/ and downloading the correct chain (keep "Include Root Certificate" unchecked). That download would then become the