Problem
This article describes how to replace the server certificate if it fails the security scan.
Description
There are three relevant configuration entries in the server/conf/commander.properties file:
COMMANDER_HTTPS_PORT=8443
COMMANDER_KEYSTORE=conf/keystore
COMMANDER_KEYSTORE_PASSWORD=abcdef
- COMMANDER_HTTPS_PORT configures the SSL port.
- COMMANDER_KEYSTORE is the location of the java keystore where the Commander HTTP server finds its host certificate
- COMMANDER_KEYSTORE_PASSWORD is the password to the keystore
Solution
Follow these steps to generate and inject a self-signed certificate for 1 year.
1) Back up the keystore file.
2) Delete the original key.
atumarkin@ATUMARKIN /cygdrive/c/ProgramData/Electric Cloud/ElectricCommander/conf
$ "c:/Program Files/Electric Cloud/ElectricCommander/jre/bin/keytool" -delete -alias jetty -keystore keystore -keypass passkey
Enter keystore password: abcdef
3) Generate and inject a new certificate.
atumarkin@ATUMARKIN /cygdrive/c/ProgramData/Electric Cloud/ElectricCommander/conf
$ "c:/Program Files/Electric Cloud/ElectricCommander/jre/bin/keytool" -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 365
Enter keystore password: abcdef
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: <Enter>
What is the name of your organization?
[Unknown]: <Enter>
What is the name of your City or Locality?
[Unknown]: <Enter>
What is the name of your State or Province?
[Unknown]: <Enter>
What is the two-letter country code for this unit?
[Unknown]: <Enter>
Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct
?
[no]: yes
Enter key password for <jetty>
(RETURN if same as keystore password): <Enter>
4) Restart the server.
Your new certificate will look something like this:
atumarkin@ATUMARKIN /cygdrive/c/ProgramData/Electric Cloud/ElectricCommander/conf
$ "c:/Program Files/Electric Cloud/ElectricCommander/jre/bin/keytool" -list -v -keystore keystore -keypass passkey
Enter keystore password: abcdef
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: jetty
Creation date: Jan 31, 2012
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Serial number: 4f28603f
Valid from: Tue Jan 31 13:42:23 PST 2012 until: Wed Jan 30 13:42:23 PST 2013
Certificate fingerprints:
MD5: 38:50:CD:29:8C:16:3A:78:29:0F:45:56:E0:CA:42:D9
SHA1: 9B:A3:E4:EA:A7:C0:3A:ED:BF:63:24:18:F0:08:78:22:59:85:BC:8A
Signature algorithm name: MD5withRSA
Version: 3
*******************************************
*******************************************
References
- Background on configuring a java keystore: http://docs.codehaus.org/display/JETTY/How+to+configure+SSL
- Discusses how to generate and import a key into the keystore (self-signed)
- Background on the java keytool and keystore: http://java.sun.com/j2se/1.5.0/docs/tooldocs/windows/keytool.html
- More information on how to generate a keyrequest, sign it with an external PKI, etc.
Comments