Skip to content

Instantly share code, notes, and snippets.

@klaernie

klaernie/holymoly.md

Forked from jpmens/holymoly.md
Last active April 17, 2024 17:37
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 3 You must be signed in to fork a gist
  • Save klaernie/b424ebfce9a5ed42d63b6112cd4cc0cb to your computer and use it in GitHub Desktop.
Save klaernie/b424ebfce9a5ed42d63b6112cd4cc0cb to your computer and use it in GitHub Desktop.
Download ZIP
Create openHAB (Jetty) keystore from OpenSSL certificate/key pair
Raw
holymoly.md

Configure openHAB keystore to use our own TLS server certificates

1. Launch openHAB, and verify that the shipped cert is in effect

$ openssl s_client -connect localhost:8443
[lots of stuff truncated]
-----END CERTIFICATE-----
subject=/C=Unknown/ST=Unknown/L=Unknown/O=openHAB/OU=Unknown/CN=openhab.org
issuer=/C=Unknown/ST=Unknown/L=Unknown/O=openHAB/OU=Unknown/CN=openhab.org
---
No client certificate CA names sent
---
SSL handshake has read 1614 bytes and written 296 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 52B1FD317C19B5067235A4FDF277B0AF5FFDF7AA760A431CC53B8C0C2CC796A7
    Session-ID-ctx:
    Master-Key: 8EEAA5595C7E46BEAFABC4CAE2797A704FD79754BB2BDBF3159CC42427E497C5B58522D7ED166A1A256D1189148EB93E
    Key-Arg   : None
    Start Time: 1387396401
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---

Result: yes: openHAB's default SSL/TLS cert is being used (CN=openhab.org)

2. Create our own TLS certificates. We have

  • ca.crt the CA certificate in PEM format
  • server.crt the Server certificate in PEM format
  • server.key the Server key in PEM format

3. Shut down openHAB

4. Create a PKCS#12 container file with ca.crt, server.crt and server.key

The password we're going to be asked for will encrypt the key and protect the PKCS#12 container. The container we'll destroy in a moment, but the password we make a note of for later.

For simplicities sake you can use openhab as password, as choosing another password means you need to hash the password and provide jetty the hash as jetty.ssl.keypassword.

$ cat server.crt ca.crt > chain.pem

$ openssl pkcs12 -export -inkey server.key -in chain.pem -out /tmp/oh.p12
Enter Export Password:
Verifying - Enter Export Password:

$ rm chain.pem
$ ls -l oh.p12
-rw-r--r--  1 jpm  staff  4061 Dec 18 21:01 oh.p12

5. Import PKCS#12 container into keystore

By importing to the not-yet existing keystore we will create a new one in a convenient location.

$ keytool -importkeystore -srckeystore /tmp/oh.p12 -srcstoretype PKCS12 -destkeystore /etc/openhab2/keystore
Enter destination keystore password:		<-- "openhab" is default, else you need to set `jetty.ssl.password`
Re-enter new password:
Enter source keystore password:			<-- password from the previous step
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

$ rm /tmp/oh.p12

6. Rename the keystore alias

During the import the alias was automatically named 1, but jetty expects the alias mykey.

First let's see that the alias is 1 indeed:

$ keytool -keystore /etc/openhab2/keystore -list
Enter keystore password:       
                               
Keystore type: JKS             
Keystore provider: SUN         
                               
Your keystore contains 1 entry 
                               
1, Sep 27, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 87:AC:48:B2:2F:7D:DD:D5:C5:F6:D5:57:FD:DB:FC:69:49:E4:D2:29

Now change it:

$ keytool -changealias -keystore /etc/openhab2/keystore -alias 1 -destalias mykey [127]:204
Enter keystore password:

And verify:

$ keytool -keystore /etc/openhab2/keystore -list
Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

mykey, Sep 27, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): 87:AC:48:B2:2F:7D:DD:D5:C5:F6:D5:57:FD:DB:FC:69:49:E4:D2:29

7. Tell openHAB about the keystore

Edit /etc/default/openhab2 and change EXTRA_JAVA_OPTS so that -Djetty.keystore.path=/etc/openhab2/keystore is included.

Example:

EXTRA_JAVA_OPTS="-Djetty.keystore.path=/etc/openhab2/keystore"

In case you did not choose openhab as your keystore password, you can also override jetty.ssl.password and jetty.ssl.keypassword the same way (beware that the values for these two variables need to be hashed, see below).

8. Launch openHAB

Verify the console, check that no errors regarding "tampering" of keystore arise.

9. Connect to openHAB and verify it's using our server certificates

$ openssl s_client -connect localhost:8443
[...]
-----END CERTIFICATE-----
subject=/CN=tiggr.ww.mens.de/O=MQTTitude.org/emailAddress=nobody@example.net
issuer=/CN=An MQTT broker/O=MQTTitude.org/emailAddress=nobody@example.net
---

Creating passwords hashes for jetty

First you might need to search for the jetty-util*.jar file:

$ find /usr/share/openhab2/runtime/ -name jetty-util\*.jar
/usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util-ajax/9.2.19.v20160908/jetty-util-ajax-9.2.19.v20160908.jar
/usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util/9.2.19.v20160908/jetty-util-9.2.19.v20160908.jar

The latter file is the one we need.

Than you can use this to generate the password hashes

$ java -cp /usr/share/openhab2/runtime/system/org/eclipse/jetty/jetty-util/9.2.19.v20160908/jetty-util-9.2.19.v20160908.jar org.eclipse.jetty.util.security.Password 'openhab'
2017-09-27 21:48:37.948:INFO::main: Logging initialized @124ms
openhab
OBF:1uh81uha1toc1wn31toi1ugg1ugi
MD5:87f64d5c0cc348bf47cd17c911f4396f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment