Description
The CloudBees CD/RO server uses a self-signed certificate by default. This certificate is valid for ten years, but might need to be replaced if it fails the security scan.
If using a certificate authority (CA) certificate or an intermediate CA certificate instead, and it has expired, see CA Server Certificate Expires for details on how to update it. |
There are three relevant configuration entries in the server/conf/commander.properties
file:
COMMANDER_HTTPS_PORT=8443 COMMANDER_KEYSTORE=file:conf/keystore COMMANDER_KEYSTORE_PASSWORD=abcdef
Where:
-
COMMANDER_HTTPS_PORT
configures the SSL port. -
COMMANDER_KEYSTORE
is the location of the java keystore where the CloudBees CD/RO HTTP server finds its host certificate. -
COMMANDER_KEYSTORE_PASSWORD
is the password to the keystore.
Workaround
If the self-signed ticket has expired, or CloudBees CD/RO has been upgraded, use the following steps to generate and inject a new self-signed certificate for one year.
Agent certificates are not renewed during this process or after an upgrade. If using agents, the agent certificates must be updated separately. Newly installed agent certificates are valid for two years. |
-
Back up the keystore file.
-
Delete the original key.
user@USER /cygdrive/c/ProgramData/cloudbees/sda/conf $ "c:/Program Files/cloudbees/sda/jre/bin/keytool" -delete -alias jetty -keystore keystore -keypass passkey Enter keystore password: abcdef
-
Generate and inject a new certificate.
user@USER /cygdrive/c/ProgramData/cloudbees/sda/conf $ "c:/Program Files/cloudbees/sda/jre/bin/keytool" -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 365 Enter keystore password: abcdef What is your first and last name? [Unknown]: localhost What is the name of your organizational unit? [Unknown]: <Enter> What is the name of your organization? [Unknown]: <Enter> What is the name of your City or Locality? [Unknown]: <Enter> What is the name of your State or Province? [Unknown]: <Enter> What is the two-letter country code for this unit? [Unknown]: <Enter> Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct? [no]: yes Enter key password for <jetty> (RETURN if same as keystore password): <Enter> . Restart the server.
Your new certificate will look similar to this:
user@USER /cygdrive/c/ProgramData/cloudbees/sda/conf $ "c:/Program Files/cloudbees/sda/jre/bin/keytool" -list -v -keystore keystore_orig -keypass passkey Enter keystore password: abcdef Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jetty Creation date: Jan 31, 2012 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown Serial number: 4f28603f Valid from: Tue Jan 31 13:42:23 PST 2012 until: Wed Jan 30 13:42:23 PST 2013 Certificate fingerprints: MD5: 38:50:CD:29:8C:16:3A:78:29:0F:45:56:E0:CA:42:D9 SHA1: 9B:A3:E4:EA:A7:C0:3A:ED:BF:63:24:18:F0:08:78:22:59:85:BC:8A Signature algorithm name: MD5withRSA Version: 3 ******************************************* *******************************************