Hello everybody,
I’m using a firewall that supports deep inspection of SSL traffic by exchanging the SSL-certificates on the fly. In order for this to work, I have to import firewall certificates client-side. This works with most of my clients, however my openHAB client refused to accept the certificate that’s issued by my firewall. Essentially this is what I wanted to achieve:
openHAB client <–> Firewall (deep inspection) <–> openHAB cloud
Installing the certificates in the ‘usual places’ didn’t work. It turns out that openHAB uses the jre certificate store (I assume because of the karaf runtime environment). In order to import a certificate into the jre certificate store, you can use the following command from the jre/lib/security folder (note that you have to specify an alias name and a path to the certificate file):
..\..\bin\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias yourAliasName -file path\to\certificate.cer
(see https://stackoverflow.com/questions/4325263/how-to-import-a-cer-certificate-into-a-java-keystore)
After updating the jre-keystore, the client accepted the SSL-certificate issued by my firewall.
Optional explanation:
After some research I came up with this:
- Find out which process runs the karaf runtime environment and write down the PID
ps aux | grep karaf
- Check if the process interacts with any certificate stores/files/data (this checks if any files are opened by the respective process that have pem/crt/cert anywhere in their name):
sudo ls -l /proc/YOUR_PID/fd | egrep ".+(pem|crt|cert).+"
Repeat this command many times for the first 30 seconds or so after rebooting the machine (when the SSL handshakes are taking place) or write a simple shell script for that.
Best regards,
Michael