Enable SSL without using a keystore password


You want to add a SSL certificate to Jenkins server but you don’t want to:

  1. use a keystore password
  2. have a plain-text keystore password as a start-up parameter
  3. store the plain-text keystore password in jenkins.xml (Windows)



Use Jenkins start-up parameters --httpsPort --httpsCertificate --httpsPrivateKey

  1. (Required) certificate and private key

You’ll need a certificate and private key. If you’ve been given a PFX file you’ll need to extract the certificate and private key from the PFX file.

  • extract private key
    openssl pkcs12 -in your_domain.pfx -nocerts -nodes -out private.key

Enter password when prompted.

  • extract certificate
    openssl pkcs12 -in your_domain.pfx -nokeys -out certificate.crt

Note: a certificate file (here named certificate.crt) can be in many formats, with different file extensions.
The file extension isn’t too important here, however, the format of the certificate and private key we want (for the following step) is to have the certificate and private key in a base64 ASCII format (PKCS #8) and not a binary format. Please refer to alternative documentation for converting binary to ASCII format certificates and private keys.

  1. Convert PKCS #8 private key to PKCS #1 private key

    openssl rsa -in private.key -out private.pk1.key

  2. Use PKCS #1 private key for Jenkins start-up parameter

    --httpsPort=8433 --httpsCertificate=certificate.crt --httpsPrivateKey=private.pk1.key


Have more questions?


Please sign in to leave a comment.