CloudBees CD Self-Signed Server Certificate Fails Security Scan

On this page

Description

You might need to replace the self-signed CloudBees CD server certificate if it fails the security scan.

If you are using a certificate authority (CA) certificate or an intermediate CA certificate instead and it has expired, see CA Server Certificate Expires for details about updating it.

There are three relevant configuration entries in the server/conf/commander.properties file:

COMMANDER_HTTPS_PORT=8443
COMMANDER_KEYSTORE=file:conf/keystore
COMMANDER_KEYSTORE_PASSWORD=abcdef

Where:

  • COMMANDER_HTTPS_PORT configures the SSL port

  • COMMANDER_KEYSTORE is the location of the java keystore where the CloudBees CD HTTP server finds its host certificate

  • COMMANDER_KEYSTORE_PASSWORD is the password to the keystore

Workaround

Follow these steps to generate and inject a self-signed certificate for 1 year.

  1. Back up the keystore file.

  2. Delete the original key.

    user@USER /cygdrive/c/ProgramData/ElectricCloud/ElectricCommander/conf
    $ "c:/Program Files/ElectricCloud/ElectricCommander/jre/bin/keytool" -delete -alias jetty -keystore keystore -keypass passkey
    Enter keystore password: abcdef
  3. Generate and inject a new certificate.

    user@USER /cygdrive/c/ProgramData/ElectricCloud/ElectricCommander/conf
    $ "c:/Program Files/ElectricCloud/ElectricCommander/jre/bin/keytool" -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 365
    Enter keystore password: abcdef
    What is your first and last name?
      [Unknown]:  localhost
    What is the name of your organizational unit?
      [Unknown]: 
    What is the name of your organization?
      [Unknown]: 
    What is the name of your City or Locality?
      [Unknown]: 
    What is the name of your State or Province?
      [Unknown]: 
    What is the two-letter country code for this unit?
      [Unknown]: 
    Is CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
      [no]:  yes
    Enter key password for 
      (RETURN if same as keystore password): 
    . Restart the server.

    Your new certificate will look similar to this:

    user@USER /cygdrive/c/ProgramData/ElectricCloud/ElectricCommander/conf
    $ "c:/Program Files/ElectricCloud/ElectricCommander/jre/bin/keytool" -list -v -keystore keystore_orig -keypass passkey
    Enter keystore password: abcdef
    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 1 entry
    Alias name: jetty
    Creation date: Jan 31, 2012
    Entry type: PrivateKeyEntry
    Certificate chain length: 1
    Certificate[1]:
    Owner: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    Issuer: CN=localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
    
    Serial number: 4f28603f
    Valid from: Tue Jan 31 13:42:23 PST 2012 until: Wed Jan 30 13:42:23 PST 2013
    Certificate fingerprints:
    MD5:  38:50:CD:29:8C:16:3A:78:29:0F:45:56:E0:CA:42:D9
    SHA1: 9B:A3:E4:EA:A7:C0:3A:ED:BF:63:24:18:F0:08:78:22:59:85:BC:8A
    Signature algorithm name: MD5withRSA
    Version: 3
    *******************************************
    *******************************************