Creating a new self-signed certificate

Use the tools provided to create a new self-signed certificate.

Before you begin

You need the password that was specified for the keystore during installation. If you do not know what it is, look in bfinstall/Apache/tomcat/conf/server.xml. The keystorePass attribute on the SSL/HTTP connector contains the password.

About this task

This procedure describes how to replace a certificate that was created automatically during a Build Forge installation. It creates a certificate with the following properties:

Use the openssl and ibmjdk tools to create the certificate. The tools are included with Build Forge software.

Five keystores are needed:

Note: Line breaks are used for clarity in the example commands. Do not use them in the command. Enter it as one string or use the line-continuation character (^ for Windows, \ for UNIX or Linux).
Important: The same password is used for all keystores. It is shown as password in the examples.

Procedure

  1. Log on to the host where the Build Forge engine is installed.
  2. Put the tool directories on your PATH.
    • <bfinstall>/openssl
    • <bfinstall>/ibmjdk/bin
  3. Put the openssl directory on LD_LIBRARY_PATH.
    • <bfinstall>/openssl
  4. Create the keystore buildForgeKeyStore.p12, certificate, and public-private key pair.
    1. In temporary directory, run keytool to create the keystore:
      keytool -genkey -alias buildforge
      -keyalg RSA -keysize 1024 -validity 5475 -dname "CN=hostname"
      -keystore buildForgeKeyStore.p12
      -storepass password
      -storetype pkcs12
    2. Copy the keystore file (buildForgeKeyStore.p12) to <bfinstall>/keystore. It overwrites the existing file.
  5. Export the public certificate. In the directory <bfinstall>/keystore, run this command:
    keytool -export -alias buildforge
    -file cert.der -keystore buildForgeKeyStore.p12
    -storepass password
    -storetype pkcs12
  6. Create the truststore.
    1. In temporary directory, run keytool to create the truststore:
      cd /temp
      keytool -import -noprompt -trustcacerts -alias buildforge
      -file cert.der -keystore buildForgeTrustStore.p12
      -storepass password
      -storetype pkcs12
    2. Copy the truststore file (buildForgeTrustStore.p12) to <bfinstall>/keystore. It overwrites the existing file.
  7. Put the public client certificate in buildForgeCert.pem In the directory <bfinstall>/keystore, run this command:
    openssl pkcs12 -clcerts -nokeys
    -in buildForgeKeyStore.p12 -passin pass:password
    -out buildForgeCert.pem
  8. Put the certificate and keys in buildForgeKey.pem In the directory <bfinstall>/keystore, run this command:
    openssl pkcs12
    -in buildForgeKeyStore.p12 -passin pass:password
    -passout pass:password -out buildForgeKey.pem
  9. Create the PEM Certificate Authority buildForgeCA.pem. It is a copy of buildForgeKey.pem. In the directory <bfinstall>/keystore, run this command:
    cat buildForgeCert.pem > buildForgeCA.pem

What to do next

The buildForgeKey.pem is a password protected PEM keystore. The Apache server prompts for the password during startup. If you do not want to be prompted for this password during startup, generate a PEM keystore that is not password-protected for the Apache server's use.

To remove the password from the private key, you can run the following step. Make sure the buildForgeKeyForApache.pem file is readable by those who need access to the ID of the process running Build Forge.
openssl rsa -in buildForgeKey.pem -passin pass:password
-out buildForgeKeyForApache.pem

Feedback