Use the tools provided to create a new self-signed certificate.
Before you begin
You need the password that was specified for the keystore
during installation. If you do not know what it is, look in bfinstall/Apache/tomcat/conf/server.xml.
The keystorePass attribute on the SSL/HTTP connector
contains the password.
About this task
This procedure describes how to replace a certificate
that was created automatically during a Build Forge installation.
It creates a certificate with the following properties:
- Keystore: buildForgeKeyStore.p12
- Expiration: 15 years (set as 5475 days)
- Subject DN: CN=hostname, where hostname is the fully
qualified hostname.
Use the openssl and ibmjdk tools
to create the certificate. The tools are included with Build Forge
software.
Five keystores are needed:
- buildForgeKeyStore.p12 - keystore, container for certificates
and keys
- buildForgeTrustStore.p12 - truststore, container for certificates
and keys
- buildForgeKey.pem - PEM keystore
- buildForgeCert.pem - public certificate
- buildForgeCA.pem - PEM Certificate Authority (CA)
Note: Line breaks are used for clarity in the example commands.
Do not use them in the command. Enter it as one string or use the
line-continuation character (^ for Windows, \ for UNIX or Linux).
Important: The same password is used for all keystores. It is
shown as password in the examples.
Procedure
- Log on to the host where the Build Forge engine is installed.
- Put the tool directories on your PATH.
- <bfinstall>/openssl
- <bfinstall>/ibmjdk/bin
- Put the openssl directory on LD_LIBRARY_PATH.
- Create the keystore buildForgeKeyStore.p12,
certificate, and public-private key pair.
- In temporary directory, run keytool to create the keystore:
keytool -genkey -alias buildforge
-keyalg RSA -keysize 1024 -validity 5475 -dname "CN=hostname"
-keystore buildForgeKeyStore.p12
-storepass password
-storetype pkcs12
- Copy the keystore file (buildForgeKeyStore.p12)
to <bfinstall>/keystore. It overwrites
the existing file.
- Export the public certificate. In the directory <bfinstall>/keystore,
run this command:
keytool -export -alias buildforge
-file cert.der -keystore buildForgeKeyStore.p12
-storepass password
-storetype pkcs12
- Create the truststore.
- In temporary directory, run keytool to create the truststore:
cd /temp
keytool -import -noprompt -trustcacerts -alias buildforge
-file cert.der -keystore buildForgeTrustStore.p12
-storepass password
-storetype pkcs12
- Copy the truststore file (buildForgeTrustStore.p12)
to <bfinstall>/keystore. It overwrites
the existing file.
- Put the public client certificate in buildForgeCert.pem In the directory <bfinstall>/keystore,
run this command:
openssl pkcs12 -clcerts -nokeys
-in buildForgeKeyStore.p12 -passin pass:password
-out buildForgeCert.pem
- Put the certificate and keys in buildForgeKey.pem In the directory <bfinstall>/keystore,
run this command:
openssl pkcs12
-in buildForgeKeyStore.p12 -passin pass:password
-passout pass:password -out buildForgeKey.pem
- Create the PEM Certificate Authority buildForgeCA.pem. It is a copy of buildForgeKey.pem. In the directory <bfinstall>/keystore,
run this command:
cat buildForgeCert.pem > buildForgeCA.pem
What to do next
The buildForgeKey.pem is a password protected PEM keystore.
The Apache server prompts for the password during startup. If you
do not want to be prompted for this password during startup, generate
a PEM keystore that is not password-protected for the Apache server's
use.
To remove the password from the private key, you can
run the following step. Make sure the
buildForgeKeyForApache.pem file
is readable by those who need access to the ID of the process running
Build Forge.
openssl rsa -in buildForgeKey.pem -passin pass:password
-out buildForgeKeyForApache.pem