Self Signed Certificate

From iDempiere en

Setup

When setting up iDempiere for the first time it creates a self signed certificate to use with the https service in jetty.

The console-setup-alt.sh command ask the following parameters to be provided by the user:

  • Key Store Password: defaults to myPassword
  • (ON) Common Name: defaults to the username
  • (OU) Organization Unit: defaults to iDempiereUser
  • (O) Organization: defaults to the user.name
  • (L) Locale/Town: defaults to MyTown
  • (S) State: defaults to empty
  • (C) Country (2 Char): defaults to user.country

The setup-alt.sh asks the same information to the user to be filled in a UI form.

And the silent-setup-alt.sh tries to obtain the information from the idempiereEnv.properties and uses defaults when not found, the relevant keys from the properties file are (in alphabetical order):

  • ADEMPIERE_CERT_CN: the Common Name, defaults to the hostname when not found
  • ADEMPIERE_CERT_COUNTRY
  • ADEMPIERE_CERT_LOCATION
  • ADEMPIERE_CERT_ORG
  • ADEMPIERE_CERT_ORG_UNIT
  • ADEMPIERE_CERT_STATE
  • ADEMPIERE_KEYSTORECODEALIAS: this key defaults to idempiere but is not used
  • ADEMPIERE_KEYSTORE: path to the keystore, defaults to $IDEMPIERE_HOME/jettyhome/etc/keystore
  • ADEMPIERE_KEYSTOREWEBALIAS: the alias of the keystore, defaults to idempiere
  • ADEMPIERE_KEYSTOREPASS: defaults to myPassword, it must be obfuscated to change it in the properties, the obfuscated default is OBF\:1uh41zly1qw01vu11ym71ym71vv91qxq1zlk1ugm

How to generate a new certificate

By default the certificate is generated with an expiration of 999 days (hardcoded in org.compiere.install.KeyStoreMgt.createCertificate).

If you want to generate a new self-signed certificate because it expired, or because you want to change the data you can simply remove the old keystore file and generate a new one using one of the setup programs explained above.

By default, something like: 

 cd $IDEMPIERE_HOME
 rm jettyhome/etc/keystore
 # edit the idempiereEnv.properties to add/change the ADEMPIERE_CERT_* and ADEMPIERE_KEYSTORE* keys
 bash silent-setup-alt.sh

How to obfuscate the ADEMPIERE_KEYSTOREPASS

In order to obtain an obfuscated key to change the ADEMPIERE_KEYSTOREPASS you can use the following program: 

 cd $IDEMPIERE_HOME
 java -cp plugins/org.eclipse.jetty.util_*.jar org.eclipse.jetty.util.security.Password dummy PasswordToObfuscate

The first parameter here is a user (not used, can be anything) and the second is the password to obfuscate.

The relevant output looks like this: 

OBF:1ox61v8s1v2p1vgv1zer1y7t1vuz1sap1ldw1x1b1ldm1sal1vub1y851zej1vfz1v1p1v9u1oyc

You must write that obfuscated value in the properties properly escaping the semicolon (:) with backslash (\), like: 

ADEMPIERE_KEYSTOREPASS=OBF\:1ox61v8s1v2p1vgv1zer1y7t1vuz1sap1ldw1x1b1ldm1sal1vub1y851zej1vfz1v1p1v9u1oyc

How to replace the self-signed certificate with an SSL certificate

See instructions for this in the page Install SSL Certificate

Retrieved from "https://wiki.idempiere.org/w-en/index.php?title=Self_Signed_Certificate&oldid=23457"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
GNU-Lizenz für freie Dokumentation 1.3 oder höher
Powered by MediaWiki