Using LetsEncrypt certificates in your JKS
Dealing with certificates in Java is always fun. The keystore Java uses is different from the certificate files you are used to in your web server or node.js.
Salesforce is build on Java, so we have to make peace with the Keystore. This article outlines the steps to use a LetsEncrypt certificate in a keystore. You will need:
- Internet connection
- OpenSSL installed
- Able to run the LetsEncrypt challenge
- Access to your DNS to add a record (for the challenge)
- Java runtime installed
- Public IP address
For this sample I will use the Domain “demo.example.com”
Obtaining a PEM certficate from LetsEncrypt
Easiest is to use the certbot utility on a Linux machine (e.g. spin up an instance on Heroku). DigitalOcean has detailed instructions.
There used to be a tls-sni challenge which was marked insecure, so you want to the DNS challenge.
sudo certbot certonly --manual --preferred-challenges dns -d demo.example.com
Convert PEM to PKCS12 format
First concatenate all PEM files into one. Presuming you used the Letsencrypt mechanism:
sudo cat /etc/letsencrypt/life/demo.example.com/*.pem > fullcert.pem
Then use OpenSSL to convert that into PKCS12 format. Note: if you do that on a Windows command prompt you must run the command prompt as administrator otherwise you just get an error
openssl pkcs12 -export -out fullchain.pkcs12 -in fullchain.pem
Prepare a Java JSK keystore
You can't just create an empty keystore, so create a new temp key and specify a new keystore, then delete that key. That gives you the empty keystore:
keytool -genkey -keyalg RSA -alias sfdcsec -keystore sfdcsec.ks keytool -delete -alias sfdcsec -keystore sfdcsec.ks
Import pkcs12 into JKS
Almost final steps. Don't forget your passwords
keytool -v -importkeystore -srckeystore fullchain.pkcs12 -destkeystore sfdcsec.ks -deststoretype JKS
Adjust alias for Salesforce import
The Salesforce import utility is picky about Alias names. The previous import created the entry
Alias name: 1 which needs to be updated:
keytool -keystore sfdcsec.ks -changealias -alias 1 -destalias demo_example_com
And voilah, you have a properly signed certificate for your Salesforce instance. Downside: to be repeated every 90 days.
As usual YMMV!