After installation, you might want to create a new Apache certificate.
By default, CloudBees Build Acceleration generates a temporary self-signed certificate during installation. This certificate is used whenever a browser makes an HTTPS connection to the Apache server. During CloudBees Build Acceleration installation, Apache is configured to look for a private key file named $HOSTNAME.key
and a certificate named $HOSTNAME.crt
. These files are in $DATADIR/apache/conf/ssl.key
and $DATADIR/apache/conf/ssl.crt
respectively. $DATADIR
is the directory where CloudBees Build Acceleration data files were installed. On Windows, these files are in C:\ECloud\i686_win32
.
Because the certificate is self-signed, browsers complain that it is an untrusted certificate. Most organizations will want to generate a new certificate signed by a recognized certificate authority (CA) to avoid the browser warnings. The following list summarizes the process:
-
Generate a new certificate and private key
-
Send the request to the CA
-
Install the signed certificate
Generating a new certificate and private key
-
Locate
openssl
binary andopenssl.cnf
in$DATADIR/64/bin
. -
Copy
openssl.cnf
into a temporary directory. -
Generate a new private key and certificate.
-
Enter the appropriate information for your organization when prompted.
The most important field is the Common Name, which is the fully qualified name of the host running the Apache server where you want the certificate. This name must match the host portion of the URL used to connect to the Cluster Manager.
$ openssl req -config openssl.cnf -new -out $HOSTNAME.csr Loading 'screen' into random state - done Generating a 1024 bit RSA private key.......++++++.......................................................++++++ writing new private key to 'privkey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields, but you can leave some blank. For some fields, there will be a default value, if you enter '.', the field will remain blank. ----- Country Name (2 letter code) []: US State or Province Name (full name) []: California Locality Name (eg, city) []: Sunnyvale Organization Name (eg, company) []: CloudBees Organizational Unit Name (eg, section) []: Common Name (eg, your websites domain name) []: myserver.mycompany.com
Email Address []:user@mycompany.com
This is the email address the user would contact if there are issues concerning the certificate. |
Please enter the following 'extra' attributes to be sent with your certificate request.A challenge password []:
This information generates a new private key in privkey.pem
and a signing request in $HOSTNAME.csr.
If you want to use the private key without having to enter a challenge password each time the server starts, issue the following command to strip out the password:
$ openssl rsa -in privkey.pem -out $HOSTNAME.keyEnter pass phrase for privkey.pem:writing RSA key
This creates a PEM encoded private key file named $HOSTNAME.key
without the password.
Sending the request to the CA
The $HOSTNAME.csr
file generated in the previous section is a request for a certificate authority to sign the certificate. When you send this file to the CA, the CA verifies the information inside and sends you a signed certificate in response. The signed certificate includes the original certificate and the signature of the CA. Name the signed certificate ' $HOSTNAME.crt
'.
Installing the key and signed certificate
-
Copy the two files,
$HOSTNAME.key
and$HOSTNAME.crt
, into$DATADIR/apache/conf/ssl.key
and$DATADIR/apache/conf/ssl.crt
. -
Restart the Apache server.
Ensure the $HOSTNAME.key
file is readable only by the user running the Apache server process.
-
Delete the contents of the temporary directory you created because this directory contains the cryptographic information used to generate the key.