Can anyone help with a simple tutorial on how to replace the self-signed SSL cert generated upon install with my own?
Background: I have a pfsense box that acts as a local CA on my LAN. I have generated a cert (for domain openhab.local) that I would like to install on the openhabian box so that Chromium doesn’t complain when loading HABPanel pages.
I’ve spent the majority of a day working on this and it keeps failing. This is the procedure I have followed:
Step 1: Create the p12 cert
Step 2: Copy the p12 cert to keystore format
Step 3: Save the keystore to /var/lib/openhab2/etc (I renamed the existing keystore as .bk)
Step 4: Obfuscate the new keystore password (using java -cp /usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util/9.4.20.v20190813/jetty-util-9.4.20.v20190813.jar org.eclipse.jetty.util.security.Password “XXXXX”
Step 5: Edit /usr/share/openhab2/runtime/etc/jetty.xml and insert new obfuscated password.
Before I start posting logs, can someone confirm that this is in fact the way to do it?
I don’t know the answer but all of this stuff is going to be implemented by Karaf so if you don’t get an answer here you might look through the Karaf docs and post to the Karaf forums. If you do figure it out posting the answer here would be awesome!
Thanks for the feedback. I managed to get this to work largely by following EdwardV’s instructions that can be found here: Link.
Note: Whenever asked for a password, use openhab
Once you’ve created the CA and Openhab Certificates in PFSense you need to:
On my local machine
Prepare the p12 cert (don’t use the p12 cert that PF provides as it does not have the correct password): #cat pf-sub-ca.crt openhab.crt > openhab.pem #openssl pkcs12 -export -inkey openhab.key -in openhab.pem -out openhab.p12
Copy the p12 cert to openhab: #scp openhab.p12 openhabian@openhab.local:/home/[user]/tmp/
On the Openhab Server (in my case openhabian) #cd /var/lib/openhab2/etc/ #sudo cp keystore keystore.backup #cd /home/[user]/tmp #sudo chown openhab:openhab openhab.p12 #sudo systemctl stop openhab2 #keytool -keystore /var/lib/openhab2/etc/keystore -list -v [Note: alias is mykey] #keytool -delete -alias mykey -keystore /var/lib/openhab2/etc/keystore #keytool -keystore /var/lib/openhab2/etc/keystore -list -v #keytool -list -keystore openhab.p12 -storetype pkcs12 [Note: alias should be 1] #keytool -importkeystore -srckeystore openhab.p12 -srcstoretype PKCS12 -destkeystore /var/lib/openhab2/etc/keystore -deststoretype jks -destalias mykey -srcalias 1 #keytool -keystore /var/lib/openhab2/etc/keystore -list -v #sudo systemctl start openhab2
Don’t forget to install the PFSense Root and Sub CA certificates in the browsers you are using. There are tutorials out there about how to use PF as a local CA on your network.
I’m in the process of moving my Openhab install from Openhabian to FreeBSD 11.4. I’m therefore taking the opportunity to update the the guide above to reflect the correct directory in the FreeBSD install of Openhab.
First, follow the same instructions as above to covert the p12 cert issued by PFSense (called ohbsd.p12 in this example) and copy it across to the server.