Sitecore

Using the PKCS #12 (.pfx) format for Solr SSL Security

Apache Solr is based on the Java technology stack which comes with its own methods for handling certificates, specifically with the JKS (Java Key Store) file type which holds encrypted certificates for use with Java-based applications. You might be vaguely familiar with the JKS file as the installation guide for 9.0+ provided by Sitecore sends you to the following page on the Solr website to enable SSL.
https://lucene.apache.org/solr/guide/6_6/enabling-ssl.html
These are the basic steps per the guide above:

  1. Use keytool to create a self-signed certificate and package it into a .jks file
  2. Convert the resulting .jks file into a PKCS #12 .p12 file to be imported into Windows
  3. Import the .p12 file into the Windows certificate store to be trusted
  4. Update solr.in.cmd to point to the generated .jks file

But wait – Solr can also use PKCS #12 files natively!

This may not seem like a big deal but the PKCS #12 standard is compatible with more platforms than just Java (including Windows!) and can make things a little easier to work with. Why mess with all this JKS stuff? That’s a great question. If we don’t have to deal with creating .jks files, our lives get somewhat easier.

  1. Use PowerShell to generate a self-signed certificate (Windows 10 / Server 2016) in the Trusted Root Certification Authorities store
  2. Export the certificate as a .pfx
  3. Update solr.in.cmd to point to the exported .pfx file
Sitecore - Understanding Development Approaches: A Sitecore Outlook
Understanding Development Approaches: A Sitecore Outlook

Designing, building, and implementing top-notch experiences not only requires a great deal of planning, strategy, and time – it also requires the right digital experience platform (DXP) and the right development approach for your business needs.

Get the Guide

Or if you’re obtaining a certificate from a provider, it’s just:

  1. Import certificate into the Windows Certificate store
  2. Update solr.in.cmd to point to the .pfx file

What’s different?

The only thing that will be different in the solr.in.cmd configuration is that instead of
set SOLR_SSL_KEY_STORE=C:\solr-6.6.2\server\etc\localhost.jks
set SOLR_SSL_KEY_STORE_TYPE=JKS
and
set SOLR_SSL_TRUST_STORE_TYPE=JKS
set SOLR_SSL_KEY_STORE=C:\solr-6.6.2\server\etc\localhost.jks
you would have
set SOLR_SSL_KEY_STORE=C:\solr-6.6.2\server\etc\localhost.pfx
set SOLR_SSL_KEY_STORE_TYPE=PKCS12
and
set SOLR_SSL_KEY_STORE=C:\solr-6.6.2\server\etc\localhost.pfx
set SOLR_SSL_TRUST_STORE_TYPE=PKCS12
Easy, right?

Can someone just do this for me?

You might be thinking, George, this doesn’t make my life any easier. Well, how about I script out steps 1 and 2 above for you in PowerShell? You just have to go update your solr.in.cmd and you’re in business.

# the domain name of your Solr instance
$domainName = "localhost"
# the path of to export your .pfx file
$pfxPath = "C:\solr-6.6.2\server\etc\cert.pfx"
# the secret to assign your exported .pfx file
$pfxPassword = ConvertTo-SecureString -String "secret" -Force -AsPlainText
New-SelfSignedCertificate -DnsName $domainName -CertStoreLocation cert:\LocalMachine\My | % { Move-Item -Path Cert:\LocalMachine\My\$($_.Thumbprint) -Destination Cert:\LocalMachine\Root; Export-PfxCertificate -Cert $_ -FilePath $pfxPath -Password $pfxPassword }
About the Author

More from this Author

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up
Categories