Apache Web Server or Agent Certificates

By default, CloudBees Flow generates a temporary self-signed certificate during web server installation. This certificate is used whenever a browser makes an HTTPS connection to the Apache server. Because the certificate is self-signed, browsers will generate untrusted certificate prompts. To prevent these types of warnings, you must generate a new Apache web server or agent certificate signed by a recognized certificate authority (CA).

Before performing any of the following procedures, back up the $DATA_DIRECTORY/conf ` and `$DATA_DIRECTORY/apache/conf directories.

Generating a CA Request

Use the following procedure to generate a CA request.

  1. Locate the DATA_DIRECTORY directory for your platform. The default directory locations are:

    • Linux – /opt/Electric Cloud/ElectricCommander

    • Windows 2008 or Windows 7 – C:\ProgramData\Electric Cloud\ElectricCommander

  2. Locate the appropriate certificate signing request file generated during installation:

    • Agent – $DATA_DIRECTORY/conf/agent.csr

    • Web Server – $DATA_DIRECTORY/apache/conf/server.csr

  3. (Optional) Update server.csr with custom SSL configuration data.

    • Edit the file $DATA_DIRECTORY/apache/conf/serverssl.cnf to add your custom configuration data.

    • Then, if you are on Linux:

      From <DATA_DIRECTORY>/apache/conf, enter:

      OPENSSL_CONF="<DATA_DIRECTORY>/apache/conf/serverssl.cnf" openssl req -new -key server.key -out server.csr

      For example:

      OPENSSL_CONF="/opt/electriccloud/electriccommander/apache/conf/serverssl.cnf" openssl req -new -key server.key -out server.csr

    • Or, if you are on Windows:

      Set the value of the environment variable OPENSSL_CONF to the full path to the file serverssl.cnf.

      Then, from <DATA_DIRECTORY>/apache/conf, enter:

      set "OPENSSL_CONF=<DATA_DIRECTORY>\apache\conf\serverssl.cnf"

      For example:

      set "OPENSSL_CONF=c:\ProgramData\Electric Cloud\ElectricCommander\apache\conf\serverssl.cnf"

      Finally, generate a certificate signing request by entering:

      openssl req -new -key server.key -out server.csr

Sending the CA Request

Send the server.csr (or ‘ agent.csr ’) file to a certificate authority to sign the certificate. The CA verifies the information inside and sends you a signed certificate in response. The signed certificate includes the original certificate and the CA signature.

Installing the Signed Certificate

Installing a New Certificate

To install a signed certificate:

  1. Replace the existing certificate in the DATA_DIRECTORY directory with the new signed certificate you received from the CA. The signed certificate file should be placed in one of the following locations:

    • Agent – $DATA_DIRECTORY/conf/agent.crt

    • Web Server – $DATA_DIRECTORY/apache/conf/server.crt

  2. Restart the agent and/or Apache services.

Replacing an Expired Certificate

The $DATA_DIRECTORY/apache/conf/ssl.conf file contains the following relevant lines for the web server certificate and key:

SSLCertificateFile conf/server.crt
SSLCertificateKeyFile conf/server.key

To replace an expired certificate with a new certificate:

  • Generate a new server key.

  • Generate a CA request.

  • Get the certificate signed by your CA.

  • Replace the above files in the $DATA_DIRECTORY/apache/conf folder.

  • Restart the agent and/or Apache services.

The CloudBees Flow web server does not use a keystore.