SSL Certificate Help

Hello,

New to Jitsi here.

We have Jitsi running on an Ubuntu VM. Its installed and everything is working, but we need to change out the SSL certificate. I’ve already created a certificate pointing to our internal CA - but with my limited knowledge of Jitsi (and Ubuntu), im having trouble figuring out the proper way to have jitsi use this new .crt and .key file.

Does anyone have experience with this and could give me some step-by-step on how to install and use a new cert?

Thanks,
Mike

What is the webserver used?

If you didn’t have apache or nginx before installing jitsi-meet, you are running the jetty that is inside the jvb and you need to update/create a jks storage with your new certificates. This is done with the self-signed certs in the default installation. Here are the two commands that does that: https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet-web-config.postinst#L161

If you are using nginx or apache it is just changing a path in their config file for the virtual host created for jitsi-meet.

Hi @damencho .

I also want to install my own certificate (Wildcard, not self generated) but it is still not clear to me how to do this.

You say we would have to run the commands:

openssl pkcs12 -export \
    -in $CERT_CRT -inkey $CERT_KEY -passout pass:changeit > $CERT_P12
keytool -importkeystore -destkeystore $CERT_JKS \
    -srckeystore $CERT_P12 -srcstoretype pkcs12 \
    -noprompt -storepass changeit -srcstorepass changeit

If I understand correctly, the variables:

$CERT_CRT = my.certificate.com.crt
$CERT_KEY = my.certificate.com.key

But what is the extension I have to assign to:

$CERT_P12

*.p12 or *.pfx

Also, what is:

$CERT_JKS

And what if I already have the *.pfx file?

Do I then only have to run:

 keytool -importkeystore -destkeystore $CERT_JKS \
                    -srckeystore $CERT_P12 -srcstoretype pkcs12 \
                    -noprompt -storepass changeit -srcstorepass changeit

The jks file is the key store file that jvb’s jetty is configured to use. I suppose it will work with pfx, try. The first command is to produce this p12 file from crt and key files.

The one in /etc/jitsi/videobridge/

I will try it. Thanks

Sorry, but where do I get the -storepass and -srcstorepass from?

Because in /etc/jitsi/videobridge/sip-communicator.properties I set:

org.jitsi.videobridge.rest.jetty.sslContextFactory.keyStorePassword=MYPASSWORD

and when I run:

keytool -importkeystore -destkeystore /etc/jitsi/videobridge/my.domain.com.jks \
                -srckeystore wildcard.certificate.pfx -srcstoretype pkcs12 \
                -noprompt -storepass MYPASSWORD -srcstorepass MYPASSWORD

I get:

Keytool-Fehler: java.io.IOException: Keystore was tampered with, or password was incorrect

Solved:

-srcstorepass  = pfx file password
-storepass = Password set in /etc/jitsi/videobridge/sip-communicator.properties