CA Server Certificate Expires

1 minute read

Description

When using a certificate authority (CA) certificate or an intermediate CA certificate, the certificate expires and causes certificate-related errors.

CloudBees Flow uses a self-signed certificate by default. This section describes how to update a CA or intermediate CA certificate if you have used one to replace the self-signed certificate. If you are using the self-signed certificate instead and it has expired, see CloudBees Flow Self-Signed Server Certificate Fails Security Scan for details about updating it.

Workaround:

CloudBees Flow certificates use Jetty. Follow these steps to update the existing certificate in the keystore and then publish it to Zookeeper:

  1. Shut down all nodes on the CloudBees Flow cluster except for one node.

  2. Go to the CloudBees Flow <install_dir> directory on the node.

  3. Delete the existing certificate from the keystore by entering:

    jre/bin/keytool -delete -alias jetty -keystore keystore -keypass passkey

  4. Generate a new key pair.

    Specify a validity (in days) and a key size of either 1024 or 2048 by entering:

    jre/bin/keytool -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 3650 -keysize 2048

  5. Generate a certificate signing request (CSR) from the keystore by entering:

    jre/bin/keytool -certreq -alias jetty -keystore keystore -file certreq.csr

  6. Sign the CSR using your CA.

  7. Import the signed certificate into the keystore by entering:

    jre/bin/keytool -importcert -file <certificate> -keystore keystore -alias jetty

  8. If CloudBees Flow is clustered, publish the keystore to Zookeeper.

    Go to the <install_dir>/conf directory and use the steps in Uploading Configuration Files to ZooKeeper . For example, enter the following command.

    • Linux:

      COMMANDER_ZK_CONNECTION=<ZooKeeper_Server_IP>:2181 ../jre/bin/java -jar ../server/bin/zk-config-tool-jar-with-dependencies.jar com.electriccloud.commander.cluster.ZKConfigTool --keystoreFile keystore
    • Windows:

      "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java.exe" -DCOMMANDER_ZK_CONNECTION=<ZooKeeper_Server_IP>:2181 -jar "C:\Program Files\Electric Cloud\ElectricCommander\server\bin\zk-config-tool-jar-with-dependencies.jar" com.electriccloud.commander.cluster.ZKConfigTool --databasePropertiesFile database.properties --keystoreFile keystore