Bring your own SSL certificate

Owned by Denis Pitul
Last updated: Jun 21, 2024 by Claudiu Barbura
2 min read

1. Creating the keystore with your own SSL certificate

  • IMPORTANT: you’ll need to store both the fullchain certificate and the certificate’s private key into the keystore

  • IMPORTANT: you’ll need the openssl command.

    • Checking if your system has openssl
      openssl version

    • Installing on Debian systems like Ubuntu:
      sudo apt install openssl

  • copy both the fullchain public cert as well as the certificates private key into an empty directory of your choosing

  • cd into the directory

  • create a new keystore using the certificate and it’s private key

    openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -name '<alias-name>' -out <keystore-file-name>.p12

  • if everything worked with no errors you should now have a .p12 keystore which is ready to be plugged into the existing LHO environment. For this you can follow the steps in section 2 of this document.

 

2. Using your own keystore

  • IMPORTANT: LHO uses a keystore in PKCS12 format. Before you continue make sure the keystore you want to use uses the same PKCS12 format
    Hint: you can check that the keystore is in PKCS12 format by using this command. You should be seeing a certificate being written to your terminal if the keystore is a PKCS12 keystore.
    openssl pkcs12 -info -in <your-keystore-file>

  • Start by SSHing into the VM running LHO

  • locate and cd into the directory where the docker-compose.yml for your LHO resides. This is usually the folder that was used during the install process. If you didn’t use a specific folder it should be directly in the HOME folder

    • Hint: to locate all docker-compose.yml files on the system:
      sudo find / -name '*docker-compose.yml'

  • besides the docker-compose.yml you should see a keystore directory in which the existing keystore resides /.../keystore/bplm.p12

  • to modify LHO so that it uses your own keystore copy your keystore next to this bplm.p12 keystore. For this you can use WinSCP (Windows) or scp (MacOS)

  • next you’ll want to modify the .env file for LHO so that you tell it to use the new keystore. The lines you’ll be editing/adding are:

    SERVER_SSL_KEY-STORE=/keystore/bplm.p12 SERVER_SSL_KEY-STORE-PASSWORD= SERVER_SSL_KEY-ALIAS=bplm SERVER_SSL_KEY-PASSWORD=

    • SERVER_SSL_KEY-STORE represents the path to the keystore file in the docker containers filesystem. The docker-compose.yml file maps the keystore folder where you found the bplm.p12 to /keystore inside the container. If you’ve copied your keystore next to the bplm.p12 one you change only the filename in this variable e.g:
      SERVER_SSL_KEY-STORE=/keystore/<your-file-name>

    • SERVER_SSL_KEY-STORE-PASSWORD represents the keystore password. If you’ve created the keystore yourself this is the export password that was set when running the openssl export command.

    • SERVER_SSL_KEY-ALIAS represents the alias name given to the certificate’s keypair. If you’ve created the keystore yourself this is the alias name that was set when running the openssl export command

    • SERVER_SSL_KEY-PASSWORD represents the password set on the private key. If the private key has no password/passphrase set on it, leave this empty

  • once you have set all the correct variable values in .env you’ll want to restart the LHO Docker container
    docker-compose -f docker-compose.yml up -d

  • if everything went smoothly you should see that LHO is now using the certificates that were provided in your keystore