I have spent the last few days working on getting my WINDOWS based openHAB system running with privately signed certificates.
This was achieved using openSSL and by using a Custom root CA and installing in client devices
The process is as follows:
Step 1: Create a private key for the CA
openssl genrsa -aes256 -out MVG_CA.key 4096
Password: <Password of Choice - remember it>
Step 2: Create Certificate of the CA
openssl req -x509 -new -nodes -key MVG_CA.key -sha256 -days 1826 -out MVG_CA.crt
To confirm Certificate Details use:
openssl x509 -inform pem -noout -text -in MVG_CA.crt
Step 3: Add the CA certificate to the trusted root certificates
For Windows: Open the .crt file and install it for all users to “Trusted Root Certificate Authorities” (verify it by running certmgr.msc)
For Java add the certificate to the relevant cacerts file (Using Portecle)
Download and install portecle.
First make 100% sure you know which JRE or JDK is being used to run your program.
Copy the file JAVA_HOME\lib\security\cacerts to another folder.
In Portecle click File > Open Keystore File
Select the cacerts file
Enter this password: changeit
Click Tools > Import Trusted Certificate
Browse for the file MVG_CA.crt
Click Import
Click OK for the warning about the trust path.
Click OK when it displays the details about the certificate.
Click Yes to accept the certificate as trusted.
When it asks for an alias click OK and click OK again when it says it has imported the certificate.
Click save. Don’t forget this or the change is discarded.
Copy the file cacerts back where you found it.
Step 4: Create a certificate for the webserver
Create Certificate Signing Request
openssl req -out MyopenHAB.csr -newkey rsa:2048 -nodes -keyout MyopenHAB.key -config openssl-csr.conf <------ See below for syntax of the file openssl-csr.conf
Check with:
openssl req -noout -text -in MyopenHAB.csr
Sign Certificate with CA
openssl x509 -req -in MyopenHAB.csr -CA MVG_CA.crt -CAkey MVG_CA.key -CAcreateserial -out MyopenHAB.crt -days 730 -sha256 -extensions req_ext -extfile openssl-csr.conf
Check with:
openssl x509 -inform pem -noout -text -in MyopenHAB.crt
Step 5: Create the certificate chain to include the Signing CA etc. and convert to p12 format
Chain the certificate for server with your CA certificate
type MyopenHAB.crt MVG_CA.crt > MyopenHABchain.pem <------ Linux etc you would use cat
Convert to p12 format required
openssl pkcs12 -export -inkey MyopenHAB.key -in MyopenHABchain.pem -out MyopenHAB.p12
Password: openhab <------ Required for Web Server unless you want to mess with the JETTY config.
Step 6: Import the signed Certificate into the Web Server Keystore
Retrieve a copy of the keystore file (C:\openHAB\userdata\etc\keystore)
keytool -importkeystore -srckeystore MyopenHAB.p12 -srcstoretype PKCS12 -destkeystore keystore
keytool -list -keystore keystore
keytool -delete -alias mykey -keystore keystore
keytool -changealias -alias 1 -destalias mykey -keystore keystore
keytool -list -keystore keystore -v
Copy the keystore file back to the folder where openHAB is installed (C:\openHAB\userdata\etc\keystore)
All done for the openHAB server
Now for InfluxDB
If you wish to use the same certificates as used for openHAB then skip to 1.3 and replace with . Remember to keep backups of the original files
Step 1: Create and Sign a Server Certificate
1.1: Create a CSR:
openssl req -newkey rsa:2048 -nodes -keyout influx.key -out influx.csr -config openssl-csr.conf
Challenge/Password: influx
1.2: Sign the certificate with the CA certificate
openssl x509 -req -CA MVG_CA.crt -CAkey MVG_CA.key -in influx.csr -out influx.crt -days 365 -CAcreateserial -extensions req_ext -extfile openssl-csr.conf
Check with:
openssl x509 -inform pem -noout -text -in influx.crt
1.3: Install files in correct places
Rename influx.key to mykey.key
Rename influx.crt to mycert.pem
Put in c:\openHAB\influxDB <------ This will be the direcotory where your inlux data etc live or wherever you configure in your influxDB setup
1.4: Confirm “C:\Program Files\InfluxData\influxdb\config.yaml” is similar to
reporting-disabled: true
engine-path: C:\openHAB\influxDB\engine
bolt-path: C:\openHAB\influxDB\influxd.bolt
tls-cert: C:\openHAB\influxDB\mycert.pem
tls-key: C:\openHAB\influxDB\mykey.key
Customize the file below to suite your requirements
*** openssl-csr.conf ***
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = "ZA"
countryName_default ="ZA"
stateOrProvinceName = "KwaZulu Natal"
localityName = "Durban"
organizationName = "Your Name"
commonName = "openHAB"
organizationalUnitName = "Your choice"
organizationalUnitName_default = "Your choice"
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = "openhab"
DNS.2 = "localhost"
IP.1 = "10.163.199.252"
IP.2 = "127.0.0.1"
IP.3 = "10.163.199.247"
I hope this is helpful to somebody even though it is Windows Based.