Creating a new self-signed certificate

Use the tools provided to create a new self-signed certificate.

Before you begin

You need the password that was specified for the keystore during installation. If you do not know the password, look in bfinstall/Apache/tomcat/conf/server.xml. The keystorePass attribute on the SSL/HTTP connector contains the password.

About this task

This procedure describes how to replace a certificate that was created automatically during a Rational® Build Forge® installation. It creates a certificate with the following properties:

To create the certificate, use the openssl and ibmjdk tools. The tools are included with the Rational® Build Forge® software.

Five keystores are needed:

Note: In the example commands, line breaks are used for clarity. Do not use them in the command. Enter it as one string or use the line-continuation character (^ for Windows, \ for UNIX or Linux).
Important: The same password is used for all keystores. It is shown as password in the examples.

Procedure

  1. Log on to the host where the Rational® Build Forge® server is installed.
  2. Add the tool directories to the file path as listed below:
    • <bfinstall>/openssl
    • <bfinstall>/ibmjdk/bin
  3. Add the openssl directory to the LD_LIBRARY_PATH file path. For example, <bfinstall>/openssl.
  4. Create the keystore buildForgeKeyStore.p12, certificate, and public-private key pair.
    1. In a temporary directory, use the following script to create the keystore:
      keytool -genkey -alias buildforge
      -keyalg RSA -keysize 1024 -validity 5475 -dname "CN=hostname"
      -keystore buildForgeKeyStore.p12
      -storepass password
      -storetype pkcs12 
    2. Copy the keystore file, buildForgeKeyStore.p12, to <bfinstall>/keystore. It overwrites the existing file.
  5. In the <bfinstall>/keystore directory, enter the following command to export the public certificate:
    keytool -export -alias buildforge
    -file cert.der -keystore buildForgeKeyStore.p12
    -storepass password
    -storetype pkcs12
  6. Create the truststore:
    1. From a temporary directory, run the keytool to create the truststore:
      cd /temp
      keytool -import -noprompt -trustcacerts -alias buildforge
      -file cert.der -keystore buildForgeTrustStore.p12
      -storepass password
      -storetype pkcs12
    2. Copy the truststore file buildForgeTrustStore.p12 to <bfinstall>/keystore. It overwrites the existing file.
  7. Put the public client certificate in buildForgeCert.pem. In the directory <bfinstall>/keystore, run this command:
    openssl pkcs12 -clcerts -nokeys
    -in buildForgeKeyStore.p12 -passin pass:password
    -out buildForgeCert.pem
  8. Put the certificate and keys in buildForgeKey.pem In the directory <bfinstall>/keystore, run this command:
    openssl pkcs12
    -in buildForgeKeyStore.p12 -passin pass:password
    -passout pass:password -out buildForgeKey.pem
  9. In the directory <bfinstall>/keystore, run the following command to create the PEM Certificate Authority, buildForgeCA.pem. The command creates a copy of buildForgeKey.pem.
    • Windows:
      copy buildForgeKey.pem buildForgeCA.pem
    • UNIX and Linux:
      cat buildForgeKey.pem > buildForgeCA.pem 

What to do next

The buildForgeKey.pem is a password-protected PEM keystore. During startup, the Apache server prompts you for the password. If you do not want to be prompted for this password, generate a PEM keystore for the Apache server that is not password-protected.

To remove the password from the private key, enter the command below. Make sure that the buildForgeKeyForApache.pem file is readable for those who need access to the ID of the process running Build Forge.
openssl rsa -in buildForgeKey.pem -passin pass:password
-out buildForgeKeyForApache.pem

Feedback