Here the steps I followed to install the certificate.

这里是我安装证书所遵循的步骤。

1.Created a PKCS12with three files(private key file, my cert, CA cert) using OPENSSLtool.

1.使用OPENSSL工具创建了一个包含三个文件（私钥文件、我的证书、CA 证书）的PKCS12。

openssl pkcs12 -export -out j2vproject.pkcs12 -inkey my_privatekeyfile.key -in star_xyz_abc.crt -certfile DigiCertCA.crt

2.Created a java keystorefrom PKCS12 using Keytooltool.

2.使用Keytool工具从 PKCS12创建了一个 java密钥库。

keytool -v -importkeystore -srckeystore j2vproject.pkcs12 -srcstoretype PKCS12  -destkeystore j2vprojectkeystore.jks -deststoretype JKS

3.added this keystore to server and it worked.

3.将此密钥库添加到服务器并且它起作用了。

Asides: you have a certificatesigned by the CA, but a cert is nota signed CSR. Somedata in the cert is the same as somedata in the CSR, but not the whole thing. Plus I wonder why you followed the digicert instructions for Apache/OpenSSL instead of those for Tomcat/Java, which would be much simpler because Jetty also is Java.

旁白：您拥有由 CA 签署的证书，但证书不是已签署的 CSR。一些在证书数据是一样的一些在CSR的数据，而不是整个事情。另外我想知道你为什么遵循 Apache/OpenSSL 的 digicert 指令而不是 Tomcat/Java 的指令，这会简单得多，因为 Jetty 也是 Java。

Anyway: the instructions on that Oracle page only work if you generated the privatekey and CSR with Java keytoolas described in steps 1,2,3. Moreover, steps 4 and 5+6 are alternatives; although the text is not as clear as it could be, you do one or the other, not both -- and only after doing 1,2,3.

无论如何：该 Oracle 页面上的说明仅在您按照步骤 1、2、3 中所述使用 Java keytool生成私钥和 CSR 时才有效。此外，步骤 4 和 5+6 是替代方案；尽管文本并不像它应有的那样清晰，但您可以选择其中之一，而不是同时进行——而且只有在完成 1、2、3 之后。

Given where you are now, your only option is converting the OpenSSL files to pkcs12, and probably then using keytool to convert pkcs12 to JKS. (Java crypto itself can use a pkcs12 directly, but not all Java crypto apps can invoke this option, and I don't know if Jetty can.)

鉴于您现在所处的位置，您唯一的选择是将 OpenSSL 文件转换为 pkcs12，然后可能使用 keytool 将 pkcs12 转换为 JKS。（Java crypto 本身可以直接使用 pkcs12，但并不是所有的 Java 加密应用都可以调用这个选项，不知道 Jetty 是否可以。）

You say you tried this and give no details about what you did, but I'll guess that most likely the "Digicert CA" file you have is an intermediateCA not a root, and to get a complete chain you need to add the root. (A complete chain isn't actually required for the pkcs12 format, and thus the openssl pkcs12subcommand, but is highly desirable for SSL/TLS such as Jetty and thus you should do it.)

您说您尝试过此操作并没有提供有关您所做操作的详细信息，但我猜您拥有的“Digicert CA”文件很可能是中间CA 而不是根，并且要获得完整的链，您需要添加根. （pkcs12 格式和openssl pkcs12子命令实际上不需要完整的链，但是对于 SSL/TLS（例如 Jetty）非常需要，因此您应该这样做。）

First check what your (immediate) CA is and what DigicertCA.crtis with

首先检查您的（立即）CA 是什么以及DigicertCA.crt与

 openssl x509 -in $yourcert.crt -noout -issuer 
 openssl x509 -in DigicertCA.crt -noout -subject -issuer

If issuer of your cert matches the subject of DigicertCA, andthey (both) include something like "intermediate CA" or "SSL CA", andissuer of DigicertCA has "CN" which is any of DigiCert Assured ID Root CA, DigiCert Global Root CAor DigiCert High Assurance EV Root CAthenyou're in luck, as long as you (or anyone else) hasn't deleted the digicert root(s) from the default cacertsin your Java (JRE) installation. Use keytool -exportcertto copy that digicert root from the matching entry in JRE/lib/security/cacertsinto a file. Concatenate your privatekey, your cert, the intermediate "DigicertCA" cert, and the appropriate root cert into one file, and feed that to openssl pkcs12 -export [-name whatever]and direct the output to a file, giving a nonempty password.

如果您的证书的颁发者DigicertCA的主题相符，和他们（双方）包括像“中间CA”或“SSL CA”，并DigicertCA的发行人“CN”，这是任何一个DigiCert Assured ID Root CA，DigiCert Global Root CA或DigiCert High Assurance EV Root CA则你很幸运，只要您（或其他任何人）没有从cacertsJava (JRE) 安装中的默认值中删除 digicert 根。用于keytool -exportcert将该数字证书根从匹配的条目复制JRE/lib/security/cacerts到文件中。将您的私钥、您的证书、中间“DigicertCA”证书和适当的根证书连接到一个文件中，并将其提供给openssl pkcs12 -export [-name whatever]并将输出定向到一个文件，给出一个非空密码。

(Other cases: If DigicertCA.crt actually is a root andmatches the issuer of your cert, that would be very weird. If it's a root and doesn't match the issuer of your cert, you are missing the intermediate CA cert (or possibly even more than one); you should be able to get it (them) from Digicert. If it (DigicertCA.crt) matches the issuer of your cert and is not a root but its issuer isn't one of the roots named above, you'll need more certs for your chain but without more data I can't advise which.)

（其他情况：如果 DigicertCA.crt 实际上是根并且与您的证书的颁发者相匹配，那将非常奇怪。如果它是根并且与您的证书的颁发者不匹配，则您缺少中间 CA 证书（或甚至可能不止一个）；您应该能够从 Digicert 获得它（它们）。如果它 (DigicertCA.crt) 与您的证书的颁发者相匹配并且不是根，但其颁发者不是上面提到的根之一，您的链需要更多证书，但没有更多数据，我无法提供建议。）

With a pkcs12 file, do

使用 pkcs12 文件，执行

keytool -importkeystore -srckeystore p12file -srcstoretype pkcs12 -destkeystore newjksfile

I tried to append both the CA certificate chain and the cacerts from the SSL distribution and use the result as ca cert chain and it worked !

我尝试从 SSL 分发中附加 CA 证书链和 cacerts，并将结果用作 ca cert 链，并且成功了！

cat yourCACert.crt /etc/ssl/certs/ca-certificates.crt > fullCAChain.crt

openssl pkcs12 -export -chain -CAfile fullCAChain.crt -in customercert.cer -inkey customercert.key -out customercert.keystore -name tomcat