SSL certificates issued by startssl.com (and others) require the installation of intermediate certificates as well as the domain certificate. In other words, you need to install a certificate chain.
(startssl.com offer free basic SSL certificates, so don’t go paying for them elsewhere unless you need a higher class of validation.)
This is based on these instructions from the Jetty people.
Private key file
Your key file should be a base64-encoded pem file; these start with the text “—–BEGIN RSA PRIVATE KEY—–“. If you have a binary file ending in .p12 such as exported from Apple’s Keychain Access, you can convert it like this:
openssl pkcs12 -in key.p12 -out key.pem
(This conversion might be unnecessary, but I haven’t tested without it.)
You need base64-encoded certificate files. These start with “—–BEGIN CERTIFICATE—–“. Make sure there’s an end-of-line at the end of the file! (Binary files might work too, I haven’t tried it.)
Your domain certificate will probably have been issued in this format.
You will also need the other certificates in the chain; these should be downloadable from the issuer. For startssl.com, they’re here; you’ll need their root certificate, ca.pem, and the intermediate certificate of the same class as your domain certificate, eg. sub.class1.server.ca.pem.
Now, cat together the certificates in the chain. Order is important, eg:
cat mydomain.crt sub.class1.server.ca.pem.cer ca.pem.cer > mydomain.chain.txt
Now combine into a pkcs12 file, including the private key:
openssl pkcs12 -export -inkey mydomain.key -in mydomain.chain.txt -out mydomain.chain.pkcs12
Finally, create a keystore containing it all. Make sure the keystore file doesn’t already exist.
keytool -importkeystore -srckeystore mydomain.chain.pkcs12 -srcstoretype PKCS12 -destkeystore mydomain.keystore
Now you have a keystore file you can configure into your Jetty HttpsConnector. (Instructions not included here.)
Firefox is the most fussy about validating chained certificates, so use it for testing. Also, this SSL checker is good.