Apache web server or agent certificates

2 minute readReference

By default, CloudBees CD/RO generates a temporary self-signed certificate during web server installation. This certificate is used whenever a browser makes an HTTPS connection to the Apache server. Because the certificate is self-signed, browsers generate untrusted certificate prompts. To prevent these types of warnings, you must generate a new Apache web server or agent certificate signed by a recognized certificate authority (CA).

Before you perform any of the following procedures, back up the $DATA_DIRECTORY/conf and $DATA_DIRECTORY/apache/conf directories.

Generating a CA request

Use the following procedure to generate a CA request.

  1. Locate the DATA_DIRECTORY directory for your platform. The default directory locations are:

    • Linux: /opt/cloudbees/sda

    • Windows: C:\ProgramData\CloudBees\Software Delivery Automation

  2. Locate the appropriate certificate signing request file generated during installation:

    • Agent: $DATA_DIRECTORY/conf/agent.csr

    • Web Server: $DATA_DIRECTORY/apache/conf/server.csr

  3. (Optional) Update server.csr with custom SSL configuration data.

    • Edit the $DATA_DIRECTORY/apache/conf/serverssl.cnf file to add your custom configuration data.

    • Then, if you are on Linux:

      From <DATA_DIRECTORY>/apache/conf, enter:

      OPENSSL_CONF="<DATA_DIRECTORY>/apache/conf/serverssl.cnf" openssl req -new -key server.key -out server.csr

      For example:

      OPENSSL_CONF="/opt/cloudbees/sda/apache/conf/serverssl.cnf" openssl req -new -key server.key -out server.csr
    • Or, if you are on Windows:

      Set the value of the environment variable OPENSSL_CONF to the full path to the file serverssl.cnf.

      Then, from <DATA_DIRECTORY>/apache/conf, enter:

      set "OPENSSL_CONF=<DATA_DIRECTORY>\apache\conf\serverssl.cnf"

      For example:

      set "OPENSSL_CONF=c:\ProgramData\CloudBees\Software Delivery Automation\apache\conf\serverssl.cnf"

      Finally, generate a certificate signing request by entering:

      openssl req -new -key server.key -out server.csr

Sending the CA request

Send the server.csr (or agent.csr) file to a certificate authority to sign the certificate. The CA verifies the information inside and sends you a signed certificate in response. The signed certificate includes the original certificate and the CA signature.

Installing the signed certificate

Installing a new certificate

To install a signed certificate:

  1. Replace the existing certificate in the DATA_DIRECTORY directory with the new signed certificate you received from the CA. Place the signed certificate file in one of the following locations:

    • Agent: $DATA_DIRECTORY/conf/agent.crt

    • Web Server: $DATA_DIRECTORY/apache/conf/server.crt

  2. Restart the agent and/or Apache services.

Replacing an expired certificate

The $DATA_DIRECTORY/apache/conf/ssl.conf file contains the following relevant lines for the web server certificate and key:

SSLCertificateFile conf/server.crt SSLCertificateKeyFile conf/server.key

To replace an expired certificate with a new certificate:

  • Generate a new server key.

  • Generate a CA request.

  • Get the certificate signed by your CA.

  • Replace the above files in the $DATA_DIRECTORY/apache/conf folder.

  • Restart the agent and/or Apache services.

The CloudBees CD/RO web server does not use a keystore.