CA Server Certificate Expires


When using a certificate authority (CA) certificate or an intermediate CA certificate, the certificate expires and causes certificate-related errors.

CloudBees Flow uses a self-signed certificate by default. This section describes how to update a CA or intermediate CA certificate if you have used one to replace the self-signed certificate. If you are using the self-signed certificate instead and it has expired, see CloudBees Flow Self-Signed Server Certificate Fails Security Scan for details about updating it.


CloudBees Flow certificates use Jetty. Follow these steps to update the existing certificate in the keystore and then publish it to Zookeeper:

  1. Shut down all nodes on the CloudBees Flow cluster except for one node.

  2. Go to the CloudBees Flow <install_dir> directory on the node.

  3. Delete the existing certificate from the keystore by entering:

    jre/bin/keytool -delete -alias jetty -keystore keystore -keypass passkey

  4. Generate a new key pair.

    Specify a validity (in days) and a key size of either 1024 or 2048 by entering:

    jre/bin/keytool -keystore keystore -alias jetty -genkey -keyalg RSA -sigalg MD5withRSA -validity 3650 -keysize 2048

  5. Generate a certificate signing request (CSR) from the keystore by entering:

    jre/bin/keytool -certreq -alias jetty -keystore keystore -file certreq.csr

  6. Sign the CSR using your CA.

  7. Import the signed certificate into the keystore by entering:

    jre/bin/keytool -importcert -file <certificate> -keystore keystore -alias jetty

  8. If CloudBees Flow is clustered, publish the keystore to Zookeeper.

    Go to the <install_dir>/conf directory and use the steps in Uploading Configuration Files to ZooKeeper . For example, enter the following command.

    • Linux:

      COMMANDER_ZK_CONNECTION=<ZooKeeper_Server_IP>:2181 ../jre/bin/java -jar ../server/bin/zk-config-tool-jar-with-dependencies.jar com.electriccloud.commander.cluster.ZKConfigTool --keystoreFile keystore
    • Windows:

      "C:\Program Files\Electric Cloud\ElectricCommander\jre\bin\java.exe" -DCOMMANDER_ZK_CONNECTION=<ZooKeeper_Server_IP>:2181 -jar "C:\Program Files\Electric Cloud\ElectricCommander\server\bin\zk-config-tool-jar-with-dependencies.jar" com.electriccloud.commander.cluster.ZKConfigTool --databasePropertiesFile --keystoreFile keystore
Copyright © 2010-2020 CloudBees, Inc.Online version published by CloudBees, Inc. under the Creative Commons Attribution-ShareAlike 4.0 license.CloudBees and CloudBees DevOptics are registered trademarks and CloudBees Core, CloudBees Flow, CloudBees Flow Deploy, CloudBees Flow DevOps Insight, CloudBees Flow DevOps Foresight, CloudBees Flow Release, CloudBees Accelerator, CloudBees Accelerator ElectricInsight, CloudBees Accelerator Electric Make, CloudBees CodeShip, CloudBees Jenkins Enterprise, CloudBees Jenkins Platform, CloudBees Jenkins Operations Center, and DEV@cloud are trademarks of CloudBees, Inc. Most CloudBees products are commonly referred to by their short names — Accelerator, Automation Platform, Flow, Deploy, Foresight, Release, Insight, and eMake — throughout various types of CloudBees product-specific documentation. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Jenkins is a registered trademark of the non-profit Software in the Public Interest organization. Used with permission. See here for more info about the Jenkins project. The registered trademark Jenkins® is used pursuant to a sublicense from the Jenkins project and Software in the Public Interest, Inc. Read more at Apache, Apache Ant, Apache Maven, Ant and Maven are trademarks of The Apache Software Foundation. Used with permission. No endorsement by The Apache Software Foundation is implied by the use of these marks.Other names may be trademarks of their respective owners. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this content, and CloudBees was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this content, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.