The following concepts are needed to fully understand this article.
An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain known as Chained Root Certificates or Chain of Trust.
The client sends a request to the SSL server.
The server responds with the
The client confirms authenticity of the
Intermediate certificateby decrypting the
digital signatureusing the
Root CA public key.
Next the client confirms the authenticity of the
Identity certificateby decrypting the
digital signatureusing the
Intermediates public key.
The client then clarifies that the URL that is being requested by matching the DN (Distinguished Name) within the
Traffic is then encrypted/decrypted by a) the client using the public key b) the server using the private key.
Common filename extensions for X.509 certificates:
.pem— (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between "----BEGIN CERTIFICATE----" and "----END CERTIFICATE----"
.der— usually in binary DER form, but Base64-encoded certificates are common too (see
.p7c— PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
.p12— PKCS#12, may contain certificate(s) (public) and private keys (password protected)
.pfx— PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
On the other hand,
.key is a file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. It is
Installing SSL certificate chains in Jetty.
How to publish Jenkins using HTTPS with an intermediate certificate.
The Chained Root Certificates or Chain of Trust is broken.
CloudBees Jenkins Enterprise
CloudBees Operation Center
Jenkins and the embedded Jetty HTTPS
An exiting SSL cert for Jenkins - As example,
$MYJENKINS.pfxbut other formats are also possible.
Identity Certificatefiles also known as Domain Certificate -
Intermediate Certificateshould have the same class as your Domain Certificate -
Any of the certificates (2, 3 and 4) start with "`----BEGIN CERTIFICATE----"`. Please, make sure there is an end-of-line at the end of the file.
Certificates 3 and 4 should be available to download from your SSL Issuer.
1. Extract the private key from your own SSL certificate into a
.key file. By default, it is in
.pem format so it needs to be converted into PKCS#12 because it is the format required by Jetty Winstone container.
openssl pkcs12 -nocerts -in $MYJENKINS.pfx -out $MYJENKINS.key
cat together all the certificates in the chain. Order is important.
cat $IDENTITY.crt $INTERMEDIATE.crt $ROOT.crt > $NAME.chain.txt
3. Combine certificates and private key into a
openssl pkcs12 -export -inkey $MYJENKINS.key -in $NAME.chain.txt -out $NAME.chain.p12
4. Finally, create a keystore containing it all. Make sure the keystore file does not already exist.
keytool -importkeystore -srckeystore $NAME.chain.p12 -srcstoretype PKCS12 -destkeystore $MYJENKINS.keystore
5. Test that the 3 certificates are included into the keystore
keytool -list -v -keystore "/path/to/$MYJENKINS.keystore"
A similar output like this should be displayed on the Terminal:
Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: 1 Creation date: Jun 24, 2016 Entry type: PrivateKeyEntry Certificate chain length: 3 Certificate: Owner: CN=*.$YOUR_DOMAIN.com, ... Issuer: CN=$YOUR_ISSUER Secure Certificate Authority ... ... Certificate: Owner: CN=$YOUR_ISSUER Secure Certificate Authority ... Issuer: CN=$YOUR_ISSUER Root Certificate Authority .... ... Certificate: Owner: CN=$YOUR_ISSUER Root Certificate Authority ... Issuer: CN=$YOUR_ISSUER Root Certificate Authority ... ...
If you have set different Jenkins environments (for instance TEST, DEV and PROD), steps from 2 to 5 should be repeated in each of those environments.
$MYJENKINS.keystorefile must then be copied to each of machines to the path specified by
--httpsKeyStore=/path/to/$MYJENKINS.keystoreparameter of the Jenkins Arguments.
--httpsKeyStorePassword=changeitparameter value is defined when creating the keystore file.