I wanted to leverage a certificate signed by my trusted Certificate Authority but found documentation a bit lacking or out of date. I thought others might benefit from my experience recently minting and using a new certificate with OH3.
I’m not going to get into the nitty gritty of CSR and signing. I trust you know that if you are willing to embark on this journey.
This also assumes a Linux install. Windows would work similar but would have different locations for the keystore.
Sign with your CA.
Move stock keystore to staging space:
sudo mv /var/lib/openhab/etc/keystore ~/keystore
- Make a copy for safe keeping:
cp ~/keystore ~/keystore.orig
- Collect the following files in a single location such as ~/ (everything assumes this location below):
- oh.key - private key created during CSR
- oh.cer - signed certificate back from CA (may be cer or crt etc. but should be Base 64 encoded)
- cachain.pem - this is the complete chain for your CA. May have a single rootca or a rootca and 1 or more intermediate signing ca’s. again Base 64 encoded
- keystore - this is the default keystore shipped with openhab
- You can create your cachain.pem from individual ca certificates like this:
- Single intermediate
cat intermediate.pem rootca.pem > chain.pem
- Multiple intermediates. Make sure you chain from lowest back up to the root as last.
cat intermediate2.pem intermediate1.pem rootca.pem > chain.pem
- Create full cert chain:
cat oh.cer chain.pem > ohchain.pem
- Convert to pkcs12 keystore: (use openhab as password)
openssl pkcs12 -export -inkey oh.key -in ohchain.pem -out oh.p12
- Import new cert into keystore: (use openhab as password)
sudo keytool -importkeystore -srckeystore ~/oh.p12 -srcstoretype PKCS12 -destkeystore ~/keystore
- Your new certificate will have an alias of 1 while the original has the alias of mykey. You can see this with:
keytool -list -keystore ~/keystore
- Delete old mykey cert:
sudo keytool -delete -alias mykey -keystore ~/keystore
- Change new cert to have mykey alias:
sudo keytool -changealias -alias 1 -destalias mykey -keystore ~/keystore
- Verify with:
keytool -list -keystore ~/keystore -v
- Move keystore into possition:
sudo cp ~/keystore /var/lib/openhab/etc/keystore
You can use a different keystore password but you’ll have to do additional configuration with jetty.
You should also ideally clean up the oh.key and other files as the key in particular should be treated like a password, better even.
Hope this helps somebody.