CA Server Certificate Expires

1 minute read


When using a certificate authority (CA) certificate or an intermediate CA certificate, the certificate expires and causes certificate-related errors.

CloudBees Flow uses a self-signed certificate by default. This section describes how to update a CA or intermediate CA certificate if you have used one to replace the self-signed certificate. If you are using the self-signed certificate instead and it has expired, see CloudBees Flow Self-Signed Server Certificate Fails Security Scan for details about updating it.


CloudBees Flow certificates use Jetty. Follow these steps to update the existing certificate in the keystore and then publish it to Zookeeper:

  1. Shut down all nodes on the CloudBees Flow cluster except for one node.

  2. Go to the CloudBees Flow <install_dir> directory on the node.

  3. Delete the existing certificate from the keystore by entering:

    jre/bin/keytool -delete -alias jetty -keystore keystore -keypass passkey

  4. Generate a new key pair.

    Specify a validity (in days) and a key size of either 1024 or 2048 by entering:

    jre/bin/keytool -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 3650 -keysize 2048

  5. Generate a certificate signing request (CSR) from the keystore by entering:

    jre/bin/keytool -certreq -alias jetty -keystore keystore -file certreq.csr

  6. Sign the CSR using your CA.

  7. Import the signed certificate into the keystore by entering:

    jre/bin/keytool -importcert -file <certificate> -keystore keystore -alias jetty

  8. If CloudBees Flow is clustered, publish the keystore to Zookeeper.

    Go to the <install_dir>/conf directory and use the steps in Uploading Configuration Files to ZooKeeper . For example, enter the following command.

    • Linux:

      COMMANDER_ZK_CONNECTION=<ZooKeeper_Server_IP>:2181 ../jre/bin/java -jar ../server/bin/zk-config-tool-jar-with-dependencies.jar com.electriccloud.commander.cluster.ZKConfigTool --keystoreFile keystore
    • Windows:

      "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java.exe" -DCOMMANDER_ZK_CONNECTION=<ZooKeeper_Server_IP>:2181 -jar "C:\Program Files\Electric Cloud\ElectricCommander\server\bin\zk-config-tool-jar-with-dependencies.jar" com.electriccloud.commander.cluster.ZKConfigTool --databasePropertiesFile --keystoreFile keystore