Use the tools provided to create a new self-signed certificate.
Before you begin
You need the password that was specified for the keystore
during installation. If you do not know the password, look in bfinstall/Apache/tomcat/conf/server.xml.
The keystorePass attribute on the SSL/HTTP connector
contains the password.
About this task
This procedure describes how to replace a certificate
that was created automatically during a Rational® Build
Forge® installation. It
creates a certificate with the following properties:
- Keystore: buildForgeKeyStore.p12
- Expiration: 15 years (set as 5475 days)
- Subject DN: CN=hostname, where hostname is
the fully qualified host name.
To create the certificate, use the openssl and ibmjdk tools.
The tools are included with the Rational® Build
Forge® software.
Five
keystores are needed:
- buildForgeKeyStore.p12 - keystore, container for certificates
and keys
- buildForgeTrustStore.p12 - truststore, container for certificates
and keys
- buildForgeKey.pem - PEM keystore
- buildForgeCert.pem - public certificate
- buildForgeCA.pem - PEM Certificate Authority (CA)
Note: In the example commands, line breaks are used for clarity.
Do not use them in the command. Enter it as one string or use the
line-continuation character (^ for Windows, \ for UNIX or Linux).
Important: The same password is used for all keystores. It is
shown as password in the examples.
Procedure
- Log on to the host where the Rational® Build
Forge® server is installed.
- Add the tool directories to the file path as listed below:
- <bfinstall>/openssl
- <bfinstall>/ibmjdk/bin
- Add the openssl directory to the LD_LIBRARY_PATH file
path. For example, <bfinstall>/openssl.
- Create the keystore buildForgeKeyStore.p12,
certificate, and public-private key pair.
- In a temporary directory, use the following script to create the
keystore:
keytool -genkey -alias buildforge
-keyalg RSA -keysize 1024 -validity 5475 -dname "CN=hostname"
-keystore buildForgeKeyStore.p12
-storepass password
-storetype pkcs12
- Copy the keystore file, buildForgeKeyStore.p12,
to <bfinstall>/keystore. It
overwrites the existing file.
- In the <bfinstall>/keystore directory,
enter the following command to export the public certificate:
keytool -export -alias buildforge
-file cert.der -keystore buildForgeKeyStore.p12
-storepass password
-storetype pkcs12
- Create the truststore:
- From a temporary directory, run the keytool to create the truststore:
cd /temp
keytool -import -noprompt -trustcacerts -alias buildforge
-file cert.der -keystore buildForgeTrustStore.p12
-storepass password
-storetype pkcs12
- Copy the truststore file buildForgeTrustStore.p12 to <bfinstall>/keystore.
It overwrites the existing file.
- Put the public client certificate in buildForgeCert.pem. In the directory <bfinstall>/keystore,
run this command:
openssl pkcs12 -clcerts -nokeys
-in buildForgeKeyStore.p12 -passin pass:password
-out buildForgeCert.pem
- Put the certificate and keys in buildForgeKey.pem In the directory <bfinstall>/keystore,
run this command:
openssl pkcs12
-in buildForgeKeyStore.p12 -passin pass:password
-passout pass:password -out buildForgeKey.pem
- In the directory <bfinstall>/keystore,
run the following command to create the PEM Certificate Authority, buildForgeCA.pem. The command creates a copy of buildForgeKey.pem.
What to do next
The buildForgeKey.pem is a password-protected PEM keystore.
During startup, the Apache server prompts you for the password. If
you do not want to be prompted for this password, generate a PEM keystore
for the Apache server that is not password-protected.
To
remove the password from the private key, enter the command below.
Make sure that the
buildForgeKeyForApache.pem file
is readable for those who need access to the ID of the process running
Build Forge.
openssl rsa -in buildForgeKey.pem -passin pass:password
-out buildForgeKeyForApache.pem