You want to add a SSL certificate to Jenkins server but you don’t want to:
- use a keystore password
- have a plain-text keystore password as a start-up parameter
- store the plain-text keystore password in jenkins.xml (Windows)
- CloudBees Jenkins Team (CJT)
- CloudBees Jenkins Platform - Client Master (CJPCM)
- CloudBees Jenkins Platform - Operations Center
- Jenkins LTS
- haproxy [optional]
Use Jenkins start-up parameters
- (Required) certificate and private key
You’ll need a certificate and private key. If you’ve been given a PFX file you’ll need to extract the certificate and private key from the PFX file.
- extract private key
openssl pkcs12 -in your_domain.pfx -nocerts -nodes -out private.key
Enter password when prompted.
- extract certificate
openssl pkcs12 -in your_domain.pfx -nokeys -out certificate.crt
Note: a certificate file (here named certificate.crt) can be in many formats, with different file extensions.
The file extension isn’t too important here, however, the format of the certificate and private key we want (for the following step) is to have the certificate and private key in a base64 ASCII format (PKCS #8) and not a binary format. Please refer to alternative documentation for converting binary to ASCII format certificates and private keys.
Convert PKCS #8 private key to PKCS #1 private key
openssl rsa -in private.key -out private.pk1.key
Use PKCS #1 private key for Jenkins start-up parameter
--httpsPort=8433 --httpsCertificate=certificate.crt --httpsPrivateKey=private.pk1.key