SSL with OpenHAB2

I Just want to ask you, how can i import my SSL Certificate
there a now a few more xml files:

ls /opt/openhab/runtime/server/configuration/org.eclipse.osgi/149/0/.cp/jettyhome/etc/
jetty-deployer.xml  jetty-https.xml     jetty-selector.xml  jetty-ssl.xml       jetty.xml

on OpenHAB 1.x i did it this way (there was only one file, the jetty.xml, which was Saved)

cp /BCKUP/jetty.xml /OpenHAB/etc
openssl pkcs12 -export -inkey /BCKUP/server.key -in /BCKUP/chain.pem -out /tmp/oh.p12
keytool -importkeystore -srckeystore /tmp/oh.p12 -srcstoretype PKCS12 -destkeystore /OpenHAB/etc/keystore

Hi,

You can try to replace the already present certificate in the runtime/etc/keystore file by using the following commands instead of your last one (not tested, you may have to adapt the command lines):

Delete the old certificate:

keytool -delete -alias mykey -keystore /OpenHAB2InstallDir/runtime/etc/keystore

Add your own certificate:

keytool -importkeystore -srckeystore /tmp/oh.p12 -srcstoretype pkcs12 -destkeystore /OpenHAB2InstallDir/runtime/etc/keystore
 -deststoretype jks -deststorepass openhab -destalias mykey

With this solution, you do not have to manipulate jetty configuration files (In OpenHAB 2, they are now embedded in a bundle).

1 Like

Hi all,
After struggling with official TLD certificates on OpenHAB I was able to get a structured approach that will allow you to add an official certificate in minutes instead of hours (even days).
I used the other posts on SSL in OpenHAB as a base but had to combine a bunch of them to be successful.
Anyway, these are the steps using a DigiCert wildcard certificate on a Openhabian installation on Raspberry Pi 3B+. I did also test this methodology on a Ubuntu VM in HyperV in a Linux OpenHAB install. Works like a charm.

Hope this helps. Will post this as a single post as well.

BACKUP your default keystore !!!

cd /var/lib/OpenHABInstallDir/etc/

cp keystore keystore.backup

Passwords are ‘openhab’ or assumed to be.

STOP OpenHAB

sudo systemctl stop OpenHABInstallDir

This example uses a DigiCert wildcard certificate

  1. cat DigiCertCA.crt yourOfficialTLD_cert.crt > yourOfficialTLD_cert_chain.pem
  2. openssl pkcs12 -export -inkey yourOfficialTLD_cert.key -in yourOfficialTLD_cert__chain.pem -out yourOfficialTLD_oh.p12 [Make sure password is openhab]
  3. keytool -keystore /var/lib/OpenHABInstallDir/etc/keystore -list -v [Note alias: should be mykey]
  4. keytool -delete -alias mykey -keystore /var/lib/OpenHABInstallDir/etc/keystore
  5. keytool -keystore /var/lib/OpenHABInstallDir/etc/keystore -list -v
  6. keytool -list -keystore /tmp/cert/yourOfficialTLD_oh.p12 -storetype pkcs12 [Note alias: should be 1]
  7. keytool -importkeystore -srckeystore /tmp/cert/yourOfficialTLD_oh.p12 -srcstoretype PKCS12 -destkeystore /var/lib/OpenHABInstallDir/etc/keystore -deststoretype jks -destalias mykey -srcalias 1

START OpenHAB

##sudo systemctl start OpenHABInstallDir

Cheers.
Edward

If you stumble here and still looking for a way to do it in OH2.5, see the little script I posted on this thread: Securing Openhab with free ssl Let's Encrypt Certificates

1 Like