[HOWTO] WHS homeserver.com Certificate in Jetty...and Others

[KarylFStein]

If you use Windows Home Server, you can get a free “homeserver.com” domain and a free SSL certificate for that from GoDaddy. The nice thing about that certificate over a self-signed one is that it doesn’t give a certificate warning when going to whatever service you have locally e.g. web or email service. Yes, you can install your certificate in your trusted store in most cases to get rid of the warnings, but having an “official” certificate is easier. This is especially true if you have something like a password-protected web site for family members to keep up on what the kids are doing and don’t believe is having anyone send passwords in the clear—hmmm, does Placeshifter do that???—and don’t want someone calling in a panic saying the site has been taken over because of this warning…really, it can happen!

Note that the Jetty Wiki has instructions for setting up SSL, but last I checked it was geared toward making a self-signed certificate. The point here is for those who have a certificate issued by an authority like GoDaddy trusted by default by most browsers, but are having troubles remembering how to get that trust relationship into other services.

So, here are some quick notes on how you can export the free GoDaddy certificate in WHS and convert it for use in several things, (e.g. the Jetty web server for SageTV, Apache, postfix, etc.) I don't have to do it much which is why I probably forget the process and have to search the Internet each time. Also, if you reinstall WHS from scratch and not say an image, it negotiates a new certificate so you can’t just use the old files. (Maybe you can—I don’t know if they put the old ones on a revocation list.)

Note that I personally have a “homeserver.com” address as well as a personal “mydomain.org” one. I use the “mydomain.org” one for everything, but it gets translated to the “homeserver.com” one to make use of the GoDaddy-issued certificate.

One challenge is that you have to use the same common name, (i.e. myserver.homeserver.com), for everything or else you’ll get certificate errors. The good news is you can use URL redirection and port redirection so easy-to-remember addresses like "http://tv.mydomain.org/" get rewritten to "https://myserver.homeserver.com:8443/apps" automatically. This is not true for things like IMAP clients which have to use myserver.homeserver.com from the start, (if you run your own mail server anyway).

With port redirection on the firewall, a URL (or e.g. an IMAP email client) can reach a service on a totally different server! For example, I have a webmail service on a Linux machine. I can go to "http://mail.mydomain.org/", (where mail.mydomain.org is a CNAME to myserver.homeserver.com), and have it hit my WHS server. There it gets rewritten to "https://myserver.homeserver.com:9443/mail" and then the firewall redirects port 993 to an Apache server on the Linux machine with no certificate errors. Of course that only applies if you have your own domain name and control over the DNS records! If not you may still use somewhat “easy” URLs like "http://myserver.homeserver.com/tv" to redirect, though.

I. Export the homeserver.com Certificate to a PFX (PKCS12) File



On the WHS server, do the following:

• Open Server Manager by clicking on the link in the task bar that WHS supplies by default. You may also get there other ways like pressing WINDOWS-R on the keyboard and entering servermanager.msc.
• On the menu on the left, expand Roles, then Web Server (IIS), and then click on IIS Manager.
• Expand the server name then Sites, and click on Default Web Site.
• Click Bindings, scroll down to HTTPS, highlight and click Edit.
• Select the myserver.homeserver.com certificate from the drop-down and click on the View button.
• Go to the Details tab and click on Copy to File.
• Follow the wizard making sure to export the private key, save as PFX, and include all certificates and export extended properties.
• Enter a password, (you may use 123456 to match the Jetty for SageTV Wiki), and select to save somewhere, (I use D:\ServerFolders\Documents as that’s where I moved that default WHS share), with the name myserver_homeserver_com.pfx.

II. Convert the PFX File

You will need OpenSSL and keytool. OpenSSL binaries for Windows x64 that work with WHS may be found here: http://www.openssl.org/related/binaries.html with prerequisite instructions. The keytool program is part of the Java install, which you should have if you’re running SageTV, (e.g. C:\Program Files (x86)\Java\jreX\bin\keytool.exe where X is probably 6 or 7 today). You may put these in your path, or just type out the full name e.g. C:\OpenSSL-Win64\bin\openssl.

Enter the below to get CRT (same as PEM here) and KEY files, (common for things like Apache), and a keystore file for Jetty.

Code:

openssl pkcs12 -in myserver_homeserver_com.pfx -out myserver_homeserver_com.crt -nokeys
openssl pkcs12 -in myserver_homeserver_com.pfx -out myserver_homeserver_com.key -nocerts -nodes
keytool -importkeystore -srckeystore myserver_homeserver_com.pfx -destkeystore myserver_homeserver_com.keystore -srcstoretype pkcs12 -deststoretype JKS

You’ll be asked for import passwords on each of these steps and that’s the password you used when exporting the PFX file, (e.g. 123456). In the keytool step you’ll also be asked for an export password. This is what you’ll need to put in your Sage.properties file, (use 123456 to match the Jetty for SageTV Wiki).

III. Install in Jetty

Just follow the Wiki: http://trac.assembla.com/sageplugins/wiki/JettyPluginSSL#. Most options are set up through the plug-in configuration screen. However I do have to stop the SageTV service and edit the Sage.properties file to add paths to the keystore as I put all certificates in a centralized WHS-location: D:\ServerFolders\Documents\Certificates. Below is (slightly edited) what my Jetty properties look like after updating with the only additions being: jetty/jetty.ssl.keypassowrd, jetty/jetty.ssl.keystore, jetty/jetty.ssl.password, jetty/jetty.trustpassword, and jetty/jetty.truststore.

Code:

jetty/jetty.configfiles="C\:\\Program Files (x86)\\SageTV\\SageTV\\jetty\\etc\\jetty.xml" "C\:\\Program Files (x86)\\SageTV\\SageTV\\jetty\\etc\\jetty-ssl.xml"
jetty/jetty.home=C\:\\Program Files (x86)\\SageTV\\SageTV\\jetty
jetty/jetty.log.level=INFO
jetty/jetty.logs=C\:\\Program Files (x86)\\SageTV\\SageTV\\jetty\\logs
jetty/jetty.port=8080
jetty/jetty.ssl.keypassword=123456
jetty/jetty.ssl.keystore=D\:\\ServerFolders\\Documents\\Certificates\\myserver_homeserver_com.keystore
jetty/jetty.ssl.password=123456
jetty/jetty.ssl.port=8443
jetty/jetty.ssl.trustpassword=123456
jetty/jetty.ssl.truststore=D\:\\ServerFolders\\Documents\\Certificates\\myserver_homeserver_com.keystore
jetty/upnp=Manual Configuration
jetty/upnp.external.http=8080
jetty/upnp.external.https=8443

[WellThen]

Thanks for this. I will probably be setting up WHS v1 again soon (drive issues - don't ask.) I'll try this as part of that setup.

[BobPhoenix]

Quote:

Originally Posted by WellThen

Thanks for this. I will probably be setting up WHS v1 again soon (drive issues - don't ask.) I'll try this as part of that setup.

The instructions above look like it is for WHS2011 not v1 at least where it mention "C\:\\Program Files (x86)\\" which is only created on a 64bit OS. Might work with v1 (32 bit OS) don't know. Just wanted to warn you.

[KarylFStein]

Quote:

Originally Posted by BobPhoenix

The instructions above look like it is for WHS2011 not v1 at least where it mention "C\:\\Program Files (x86)\\" which is only created on a 64bit OS. Might work with v1 (32 bit OS) don't know. Just wanted to warn you.

Oops, you're right--I didn't say it was WHS2011. The process should be similar on WHSv1, though, except some differences in navigating the server/IIS manager.