Issue
You want to add a SSL certificate to Jenkins server but you don’t want to:
-
use a keystore password
-
have a plain-text keystore password as a start-up parameter
-
store the plain-text keystore password in jenkins.xml (Windows)
Environment
-
haproxy [optional]
Resolution
This is only applicable to versions before 2.361.* (see Changes since 2.361: Winstone 6.1: at https://www.jenkins.io/changelog-stable/, https://github.com/jenkinsci/jenkins/pull/6801, https://github.com/jenkinsci/winstone/pull/232)
|
Use Jenkins start-up parameters --httpsPort --httpsCertificate --httpsPrivateKey
-
(Required) certificate and private key
You’ll need a certificate and private key. If you’ve been given a PFX file you’ll need to extract the certificate and private key from the PFX file.
-
extract private key
openssl pkcs12 -in your_domain.pfx -nocerts -nodes -out private.key
Enter password when prompted.
-
extract certificate
openssl pkcs12 -in your_domain.pfx -nokeys -out certificate.crt
| a certificate file (here named certificate.crt) can be in many formats, with different file extensions. The file extension isn’t too important here, however, the format of the certificate and private key we want (for the following step) is to have the certificate and private key in a base64 ASCII format (PKCS #8) and not a binary format. Please refer to alternative documentation for converting binary to ASCII format certificates and private keys. |
-
Convert PKCS #8 private key to PKCS #1 private key
openssl rsa -in private.key -out private.pk1.key -
Use PKCS #1 private key for Jenkins start-up parameter
--httpsPort=8433 --httpsCertificate=certificate.crt --httpsPrivateKey=private.pk1.key