Replacing the Self-Signed SSL Cert with local PFSense CA Certs

Can anyone help with a simple tutorial on how to replace the self-signed SSL cert generated upon install with my own?

Background: I have a pfsense box that acts as a local CA on my LAN. I have generated a cert (for domain openhab.local) that I would like to install on the openhabian box so that Chromium doesn’t complain when loading HABPanel pages.

I’ve spent the majority of a day working on this and it keeps failing. This is the procedure I have followed:

Step 1: Create the p12 cert

Step 2: Copy the p12 cert to keystore format

Step 3: Save the keystore to /var/lib/openhab2/etc (I renamed the existing keystore as .bk)

Step 4: Obfuscate the new keystore password (using java -cp /usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util/9.4.20.v20190813/jetty-util-9.4.20.v20190813.jar org.eclipse.jetty.util.security.Password “XXXXX”

Step 5: Edit /usr/share/openhab2/runtime/etc/jetty.xml and insert new obfuscated password.

Before I start posting logs, can someone confirm that this is in fact the way to do it?

Many thanks,
D.

I don’t know the answer but all of this stuff is going to be implemented by Karaf so if you don’t get an answer here you might look through the Karaf docs and post to the Karaf forums. If you do figure it out posting the answer here would be awesome!

I know of someone else who was looking for a way to do this but they are stuck as well. https://community.hestiapi.com/t/documentation-initiative/423/18

The steps you describe seem to match with the docs that are available in the internet.
What error message do you get ?

Thanks for the feedback. I managed to get this to work largely by following EdwardV’s instructions that can be found here: Link.

Note: Whenever asked for a password, use openhab

Once you’ve created the CA and Openhab Certificates in PFSense you need to:

On my local machine
Prepare the p12 cert (don’t use the p12 cert that PF provides as it does not have the correct password):
#cat pf-sub-ca.crt openhab.crt > openhab.pem
#openssl pkcs12 -export -inkey openhab.key -in openhab.pem -out openhab.p12
Copy the p12 cert to openhab:
#scp openhab.p12 openhabian@openhab.local:/home/[user]/tmp/

On the Openhab Server (in my case openhabian)
#cd /var/lib/openhab2/etc/
#sudo cp keystore keystore.backup
#cd /home/[user]/tmp
#sudo chown openhab:openhab openhab.p12
#sudo systemctl stop openhab2
#keytool -keystore /var/lib/openhab2/etc/keystore -list -v [Note: alias is mykey]
#keytool -delete -alias mykey -keystore /var/lib/openhab2/etc/keystore
#keytool -keystore /var/lib/openhab2/etc/keystore -list -v
#keytool -list -keystore openhab.p12 -storetype pkcs12 [Note: alias should be 1]
#keytool -importkeystore -srckeystore openhab.p12 -srcstoretype PKCS12 -destkeystore /var/lib/openhab2/etc/keystore -deststoretype jks -destalias mykey -srcalias 1
#keytool -keystore /var/lib/openhab2/etc/keystore -list -v
#sudo systemctl start openhab2

Don’t forget to install the PFSense Root and Sub CA certificates in the browsers you are using. There are tutorials out there about how to use PF as a local CA on your network.

Hope this helps!

2 Likes

I’m in the process of moving my Openhab install from Openhabian to FreeBSD 11.4. I’m therefore taking the opportunity to update the the guide above to reflect the correct directory in the FreeBSD install of Openhab.

First, follow the same instructions as above to covert the p12 cert issued by PFSense (called ohbsd.p12 in this example) and copy it across to the server.

Then, on the Openhab Server (FreeBSD Server) as root
#cd /usr/local/share/openhab2/etc/
#cp keystore keystore.backup
#chown openhab:openhab ohbsd.p12
#service openhab2 stop
#keytool -keystore /var/db/openhab2/userdata/etc/keystore -list -v
#keytool -delete -alias mykey -keystore /var/db/openhab2/userdata/etc/keystore
#keytool -keystore /var/db/openhab2/userdata/etc/keystore -list -v
#keytool -list -keystore ohbsd.p12 -storetype pkcs12
#keytool -importkeystore -srckeystore ohbsd.p12 -srcstoretype PKCS12 -destkeystore /var/db/openhab2/userdata/etc/keystore -deststoretype jks -destalias mykey -srcalias 1
#keytool -keystore /var/db/openhab2/userdata/etc/keystore -list -v
#service openhab2 start

It throws the following Warning that can be ignored “Warning: The JKS keystore uses a proprietary format.”