Issue

You want to add a SSL certificate to Jenkins server but you don’t want to:

1. use a keystore password
2. have a plain-text keystore password as a start-up parameter
3. store the plain-text keystore password in jenkins.xml (Windows)

Environment

• CloudBees Jenkins Team (CJT)
• CloudBees Jenkins Platform - Client Master (CJPCM)
• CloudBees Jenkins Platform - Operations Center
• Jenkins LTS
• haproxy [optional]

Resolution

Use Jenkins start-up parameters --httpsPort --httpsCertificate --httpsPrivateKey

1. (Required) certificate and private key

You’ll need a certificate and private key. If you’ve been given a PFX file you’ll need to extract the certificate and private key from the PFX file.

• extract private key
  openssl pkcs12 -in your_domain.pfx -nocerts -nodes -out private.key

Enter password when prompted.

• extract certificate
  openssl pkcs12 -in your_domain.pfx -nokeys -out certificate.crt

Note: a certificate file (here named certificate.crt) can be in many formats, with different file extensions.
The file extension isn’t too important here, however, the format of the certificate and private key we want (for the following step) is to have the certificate and private key in a base64 ASCII format (PKCS #8) and not a binary format. Please refer to alternative documentation for converting binary to ASCII format certificates and private keys.

1. Convert PKCS #8 private key to PKCS #1 private key

   openssl rsa -in private.key -out private.pk1.key

2. Use PKCS #1 private key for Jenkins start-up parameter

   --httpsPort=8433 --httpsCertificate=certificate.crt --httpsPrivateKey=private.pk1.key

References

• Running Jenkins with native SSL / HTTPS
• Starting and Accessing Jenkins
• Add support for PKCS #8 private keys
• How to install a new SSL certificate?