$ openssl s_client -connect localhost:8443
[lots of stuff truncated]
-----END CERTIFICATE-----
subject=/C=Unknown/ST=Unknown/L=Unknown/O=openHAB/OU=Unknown/CN=openhab.org
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=openHAB/OU=Unknown/CN=openhab.org
---
No client certificate CA names sent
---
SSL handshake has read 1614 bytes and written 296 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 52B1FD317C19B5067235A4FDF277B0AF5FFDF7AA760A431CC53B8C0C2CC796A7
Session-ID-ctx:
Master-Key: 8EEAA5595C7E46BEAFABC4CAE2797A704FD79754BB2BDBF3159CC42427E497C5B58522D7ED166A1A256D1189148EB93E
Key-Arg : None
Start Time: 1387396401
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
Result: yes: openHAB's default SSL/TLS cert is being used (CN=openhab.org
)
ca.crt
the CA certificate in PEM formatserver.crt
the Server certificate in PEM formatserver.key
the Server key in PEM format
The password we're going to be asked for will encrypt the key and protect the PKCS#12 container. The container we'll destroy in a moment, but the password we make a note of for later.
For simplicities sake you can use openhab
as password, as choosing another
password means you need to hash the password and provide jetty the hash as
jetty.ssl.keypassword
.
$ cat server.crt ca.crt > chain.pem
$ openssl pkcs12 -export -inkey server.key -in chain.pem -out /tmp/oh.p12
Enter Export Password:
Verifying - Enter Export Password:
$ rm chain.pem
$ ls -l oh.p12
-rw-r--r-- 1 jpm staff 4061 Dec 18 21:01 oh.p12
By importing to the not-yet existing keystore we will create a new one in a convenient location.
$ keytool -importkeystore -srckeystore /tmp/oh.p12 -srcstoretype PKCS12 -destkeystore /etc/openhab2/keystore
Enter destination keystore password: <-- "openhab" is default, else you need to set `jetty.ssl.password`
Re-enter new password:
Enter source keystore password: <-- password from the previous step
Entry for alias 1 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
$ rm /tmp/oh.p12
During the import the alias was automatically named 1
, but jetty expects the alias mykey
.
First let's see that the alias is 1
indeed:
$ keytool -keystore /etc/openhab2/keystore -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
1, Sep 27, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 87:AC:48:B2:2F:7D:DD:D5:C5:F6:D5:57:FD:DB:FC:69:49:E4:D2:29
Now change it:
$ keytool -changealias -keystore /etc/openhab2/keystore -alias 1 -destalias mykey [127]:204
Enter keystore password:
And verify:
$ keytool -keystore /etc/openhab2/keystore -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
mykey, Sep 27, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 87:AC:48:B2:2F:7D:DD:D5:C5:F6:D5:57:FD:DB:FC:69:49:E4:D2:29
Edit /etc/default/openhab2
and change EXTRA_JAVA_OPTS
so that -Djetty.keystore.path=/etc/openhab2/keystore
is included.
Example:
EXTRA_JAVA_OPTS="-Djetty.keystore.path=/etc/openhab2/keystore"
In case you did not choose openhab
as your keystore password, you can also override jetty.ssl.password
and jetty.ssl.keypassword
the same way (beware that the values for these two variables need to be hashed, see below).
Verify the console, check that no errors regarding "tampering" of keystore arise.
$ openssl s_client -connect localhost:8443
[...]
-----END CERTIFICATE-----
subject=/CN=tiggr.ww.mens.de/O=MQTTitude.org/emailAddress=nobody@example.net
issuer=/CN=An MQTT broker/O=MQTTitude.org/emailAddress=nobody@example.net
---
First you might need to search for the jetty-util*.jar
file:
$ find /usr/share/openhab2/runtime/ -name jetty-util\*.jar
/usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util-ajax/9.2.19.v20160908/jetty-util-ajax-9.2.19.v20160908.jar
/usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util/9.2.19.v20160908/jetty-util-9.2.19.v20160908.jar
The latter file is the one we need.
Than you can use this to generate the password hashes
$ java -cp /usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util/9.2.19.v20160908/jetty-util-9.2.19.v20160908.jar org.eclipse.jetty.util.security.Password 'openhab'
2017-09-27 21:48:37.948:INFO::main: Logging initialized @124ms
openhab
OBF:1uh81uha1toc1wn31toi1ugg1ugi
MD5:87f64d5c0cc348bf47cd17c911f4396f