user3464741 user3464741 - 3 months ago 39
Apache Configuration Question

Migrating from apache2 to vertx 3 when using ssl

I have to migrate from apache2 httpd to a (java based) vert.x 3 server. An apache2 httpd could successfully be configured using the following three certificate / key files in ssl.conf (shortened paths):


SSLCertificateFile certificate.cer
SSLCertificateKeyFile privatekey.key
SSLCertificateChainFile intermediate.cer


Browsers accepted the https connection without complaint.

After creating a keystore for vert.x 3 and running it, the browser tells me: uses an invalid security certificate.
The certificate is not trusted because the issuer certificate
is unknown. The server might not be sending the appropriate
intermediate certificates.
An additional root certificate may need to be imported.

Yet, the browser seems to receive the right server certificate and intermediate certificate.

How can I find out what root certificate (of severeral GeoTrust root certificates) is used by a well working apache2 httpd configuration?
Do I have to include that into a java keystore?

If yes, how does httpd find the right root certificate - and where?

Is the .../mozilla folder the right place to fetch root certificates for a server (I think that a place only for certificates for use by the browser)?

To rule out an alternative explanation: Has vertx a known bug in its ssl functionality??


Vert.x SSL configuration can done using either java keystores or using OpenSSL. They both have pros and cons, however if you are migrating from Apache to Vert.x the shortest path would be using the OpenSSL engine.

In order to use the OpenSSL engine you will need one extra dependency in your project:


This will allow Netty to use OpenSSL or more exactly BoringSSL and therefore use the existing certificates. Loading certificates is done by creating a HttpOptions object like this:

new HttpServerOptions()
    new PemKeyCertOptions()

Key store options configuration expects a private key and its certificate based on Privacy-enhanced Electronic Email (PEM) files.

The key file must contain a non encrypted private key in PKCS8 format wrapped in a PEM block, for example:


The certificate file must contain an X.509 certificate wrapped in a PEM block, for example:


There is no real support for certificate chains but you could work around it (if you have a public facing site) by visiting: and downloading the correct chain (keep "Include Root Certificate" unchecked). That download would then become the certificate.cer.