Enable SSL without using a keystore password

Article ID:360028363651
1 minute readKnowledge base


You want to add a SSL certificate to Jenkins server but you don’t want to:

  1. use a keystore password

  2. have a plain-text keystore password as a start-up parameter

  3. store the plain-text keystore password in jenkins.xml (Windows)


This is only applicable to versions before 2.361.* (see Changes since 2.361: Winstone 6.1: at https://www.jenkins.io/changelog-stable/, https://github.com/jenkinsci/jenkins/pull/6801, https://github.com/jenkinsci/winstone/pull/232)

Use Jenkins start-up parameters --httpsPort --httpsCertificate --httpsPrivateKey

  1. (Required) certificate and private key

You’ll need a certificate and private key. If you’ve been given a PFX file you’ll need to extract the certificate and private key from the PFX file.

  • extract private key openssl pkcs12 -in your_domain.pfx -nocerts -nodes -out private.key

Enter password when prompted.

  • extract certificate openssl pkcs12 -in your_domain.pfx -nokeys -out certificate.crt

a certificate file (here named certificate.crt) can be in many formats, with different file extensions. The file extension isn’t too important here, however, the format of the certificate and private key we want (for the following step) is to have the certificate and private key in a base64 ASCII format (PKCS #8) and not a binary format. Please refer to alternative documentation for converting binary to ASCII format certificates and private keys.
  1. Convert PKCS #8 private key to PKCS #1 private key

    openssl rsa -in private.key -out private.pk1.key

  2. Use PKCS #1 private key for Jenkins start-up parameter

    --httpsPort=8433 --httpsCertificate=certificate.crt --httpsPrivateKey=private.pk1.key