I was configuring my Jetty ssl using this link. I was configuring it for my tomcat keystore and tomcat trust-store so that instead of jetty default certificates, my tomcat certificates are used for ssl connections. While configuring i found we need to mention the keystore and trust-store passphrase. But i guess this might expose my tomcat keystore and trust-store passphrase if somehow jetty get exposed. So can anyone suggest anyother method ?
I thought of passing the passphrase file path to the jetty-ssl.xml, so that i am not exposing my passphrase. But didn't found any similar functionality of jetty. They only provided the method to obfuscating the password here.
Jetty uses the SSL defaults in Java.
Namely the
java.security,javax.net.sslprovided packages.KeyStore.load()requires a password if the keystore itself has one. Otherwise thatKeyStorecannot be loaded for use in SSL.Those
KeyStoreinstances are then passed into thejavax.net.ssl.KeyManagerFactoryorjavax.net.ssl.TrustManagerFactory. Without those, you have a fairly useless SSL configuration.In short, if the stores on disk have a password, then you have to tell Jetty those passwords, either in obfuscated form, or plain text.