I am trying to configure Jenkins on Windows with a SLL certificate following these instructions. Instead of using a Digicert certificate, our IT administrator would like to generate a certificate using the Windows AD CS using the certificate snap-in of mmc.
However we cannot figure out how to import the keytool generated csr certificate request into the certificate snap-in.
If I use a certificate with a recreated certificate request in the mmc certificate store, the certificate is rejected with the following message:
keytool -importcert -alias jenkins -file "D:\Temp\jenkins\jenkins.pem" -keystore "D:\Temp\jenkins\jenkins.jks"
Enter keystore password:
keytool error: java.lang.Exception: Certificate reply does not contain public key for <jenkins>
Does anyone know how to create an SSL certificate from the Windows certificate store based on a java keytool created csr certificate request?
I was able to get Jenkins running with SSL and this is what I did.
On the Jenkins Master
In the Certificate Snap-in of mmc, navigate to Certificates (Local
Computer) / Personal.
Right click Personal Folder and select All Tasks / Request New
Certificate...
Confirm the next two Enrollment pages by clicking on Next.
Check a Webserver Active Directory Enrollment Policy.
A Warning Message shows below the Enrollment Policy
More information is required to enroll for this certificate. Click here
to configure settings.
Click on it.
Fill out the Certificate Properties: Subject name: Common name:
[the name of your jenkins server] Alternative name: DNS: [the
name of your jenkins server] Alternative name: DNS: [the full
name of your jenkins server including your domain]Confirm the
page with OK and the following two pages.
Export the Certificate as PFX format Right click on
certificate All Tasks / Export...
Check: Yes, export the private key Check Include all
certificates in the certification path if possible Check:
Export all extended properties Since we are exporting the
private key, we must provide a password Check: Password and
enter your password and password confirmation
Pick a path for your PFX certificate and finish the export.
Export the certificate one more time without a password in the
Base-64 encoded X.509 (.CER) format.
Rename the resulting .CER file into .PEM.
Create a java key store on the Jenkins server with
keytool -genkeypair -keysize 2048 -keyalg RSA -alias jenkins -keystore jenkins.jks
Answer the questions appropriate for your company and organisation.
Import the PFX certificate into the java keystore with
keytool -importkeystore -srckeystore jenkins.pfx -srcstoretype pkcs12 -destkeystore jenkins.jks -deststoretype JKS
Copy the jenkins.jks to secrets directory where Jenkins is
installed (in my case C:\Program Files (x86)\Jenkins\secrets).
Add the certificate to the Jenkins startup parameters:
-Djavax.net.ssl.trustStore=%JENKINS_HOME%\secrets\jenkins.jks
-Djavax.net.ssl.trustStorePassword=[your password for the java key store]
Restart the jenkins service
On the Jenkins Agent
Import the PEM certificate from above into the java keystore from the command line with administrator priviliges:
keytool -import -alias jenkins -keystore "C:\Program Files (x86)\Java\jre1.8.0_161\lib\security\cacerts" -file [your pem file]
Enter the password of the keystore (by
default changeit) Trust this certificate? [no]: yes
Make sure your jenkins-slave.xml in %JENKINS_HOME% does not contain
-noCheckCertificate in the arguments.
Restart the service jenkinsslave-D__Jenkins.
I am reading the tutorial you have mentioned in your post. And I see this sentence:
"if making your own certificate skip steps 3, 4, and 5". Your code seems to be the specified in step 5.
You could try to copy the keystore file to your Jenkins secrets directory as mentioned in step 6.
This link can also be helpful.
Related
The company signs it own certificates so this is giving problems to validate so I have added the custom ca authority to a pod running jenkins so now I can curl successfully against a service, the thing is that I'm trying to use a jenkins' plugin which continue to give ssl error so I think the problem is that I need to add the certs in jks format but all the info I found to convert a pem to jks is with the private key which I don't have.
The plugin which I need to make work is micro focus fortify plugin.
How do I convert a public ca authority to jks if I don't have the private key?
I'm guessing you're just trying to add your internal CA cert to the cacerts file that you Jenkins server is using. The cacerts file is a keystore file that contains all of the public certs for trusted CAs and it will be located with the java installation that your Jenkins server is using.
Please note that if you're trying to trust other certs that were signed by your CA, then you only need your CA's public certificate. You do not require the CA's private cert. If you have an admin who gives out the private cert/key to anyone, you should probably slap that person because that is a major security risk.
When Jenkins starts up, it will use the public CA certs from that cacerts file which will also be used by any Jenkins plugins that you use.
To import a new CA cert, you just need the cert to be in base64 format. You can use the following command to import:
keytool -importcert -file yourCAcert.pem -keystore cacerts -alias "YourCertAlias"
I got a certificate from Geotrust and I'm trying to apply it to my Tomcat web server, as can be seen in the image below, I left .csr and .p7b in the same directory (java / bin)
the softlayer support team, has indicated the link https://www.digicert.com/ssl-certificate-installation-tomcat.htm as help and when I execute the command I get the error:keytool error: java.lang.Exception: Input not an X.509 certificate
Anyone have been through this and can you help me? I've been trying to figure it out for days.
Reasons for the error :-
You are importing the certificate (p7b) in a wrong keystore . when you import the certificate in an existing keystore it will never ask you to punch in the password twice. If its asking you to punch in the password twice, it means its creating a new keystore. In a new keystore, you cannot import the the certificates as private entry You can only create Trusted Entry and add the certificates as trusted.
Solution
1)If you have the private key with you, please create a text file and rename the file as example.pem with all the certificates and private key in it in the below sequence
a) private key
b) Server certificate
c) Intermediate Certificate
d) Root Certificate.
2) Run the below openssl command
openssl pkcs12 -in example.pem -out certificate.pfx
3) As you have the pfx file from the above command, use the keytool command below to convert this in jks format for tomcat
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype
pkcs12 -destkeystore certificate.jks -deststoretype jks.
4) Provide the certificate.jks directive in server.xml file of tomcat along with its password
5) Restart the tomcat service.
Hope this helps ..
I have been attempting to help one of our sites with an error message they are getting while using an application that uses Glassfish. When signing into the application, the following errors are thrown:
CommunicationException: An error occurred while making the HTTP request to . This could be due to the fact that the server certificate is notconfigured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server.
In Server.log, the following is displayed:
0400|SEVERE|glassfish3.1|com.sun.grizzly.config.GrizzlyServiceListener|_ThreadID=287;_ThreadName=Thread-1;|Failed to load keystore type JKS with path C:\glassfishv3\glassfish\domains\domain1/config/keystore.jks due to Keystore was tampered with, or password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
The site is only experiencing this problem when they change the glassfish master password. When the master password is left as its default setting, everything works correctly. The default master password is "changeit".
Additionally, the site generates and imports a certificate for use with glassfish. The following are the steps that are performed, in order, for generating a certificate and changing the password:
Stopped Glassfish service.
Opened MMC.MSC: Action --> All Tasks --> Request New Certificate
From the Certificate Enrollment wizard, chose a Computer type certificate. Click Properties Button and configure certificate. It gets a friendly name of "s1as" and an exportable private key of key size 2048. Private key is exported as a pfx file and certificate is exported as a cer file. The files are saved in the glassfish config folder. Details about this process available if needed.
DOS prompt opened and this command is run inside the glassfish config folder:
keytool -delete -alias s1as -keystore keystore.jks -storepass changeit
Following command is run:
keytool -import -v -trustcacerts -alias -file root.cer -keystore cacerts.jks -storepass changeit
Answered "Y" to trust the certificate.
Ran the following command to replace the original self-signed certificate with the pfx one.
keytool -importkeystore -srckeystore .pfx -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
Entered password, and a success message appears afterwards that 1 entry was succesfully imported.
Ran this command:
keytool -list -keystore keystore.jks -rfc
A lot of output is produced, including a long Alias name. Thsi long alias is used in the next command.
Ran the following command:
keytool -changealias -alias "" -destalias "s1as" -keypass changeit -keystore keystore.jks -storepass changeit
Ran the following command in asadmin:
change-master-password --savemasterpassword=true
Entered Current password of "changeit"
Entered new password of 123456
Re-entered 123456.
Success message that master password changed succesfully.
Started glassfish service
In my local testing, this procedure has worked and I am able to use the application with no errors. But on the site I am aiding, when they follow the same process, they receive the errors I listed at the top of this message.
My specific questions:
Could the site's certificate be causing this problem? If so, is there a way I could test that the certificate is the issue?
What other things might potentially be generating the errors? Could the "change-master-password" command not be properly changing the password, or could there be something else that needs to have the password changed as well?
I have found the solution to this, and I am posting it here should someone in the future encounter the same issue that I have. Hopefully this will save someone much frustration some day.
In domain.xml, the following 2 lines needed to be added in the jvm-options area.
<jvm-options>-Djavax.net.ssl.keyStorePassword=[password]</jvm-options>
<jvm-options>-Djavax.net.ssl.trustStorePassword=[password]</jvm-options>
I am unable to correctly configure Jenkins to use a StartSSL certificate.
I'm running it with command line arguments that specify paths to the private key and my certificate as shown on the Jenkins Wiki (at the bottom: https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins).
I've obtained a private key and a certificate from StartSSL
I've placed them in a particular folder
I'm running Jenkins as follows: java -jar jenkins.war --httpPort=-1 --httpsPort=8080 --httpsCertificate=<mydomain.crt file> --httpsPrivateKey=<my private key file>
Jenkins starts successfully. Opening https://mydomain:8080/ in Firefox says that the connection is untrusted:
mydomain:8080 uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
I've tried verifying mydomain:8080 on various SSL checker websites:
OK mydomain resolves to xxx.xxx.xxx.xxx
OK The certificate was issued by StartCom.
OK The certificate will expire in XXX days.
OK The hostname (mydomain) is correctly listed in the certificate.
Not OK The certificate is not trusted in all web browsers.
You may need to install an Intermediate/chain certificate
to link it to a trusted root certificate.
StartSSL does not have explicit instructions for setting up Jenkins. I've tried following up on similar tutorials for other kinds of servers, and copied the intermediate authority files from StartCom into a unified certificate (ca.pem and sub.class1.server.ca.pem as noted here: http://www.startssl.com/?app=42).
However, this did not change anything.
SSL checkers like www.sslshopper.com/ssl-checker.html‎ still report that the website is untrusted.
Also, the GitHub image caching service is not rendering the build status icon from Jenkins for the same reason.
How do I add the issuer chain correctly to my certificate?
I had a similar problem and after some research what got everything to be trusted was :
Merged the intermediate authority certificate and <mydomain.crt file> into 1 unified certificate called merged.cer using the link you mentioned
(From: https://serverfault.com/questions/569866/jenkins-wont-serve-with-ca-signed-certificate)
openssl pkcs12 -inkey /location/to/key.pem -in /location/to/merged.cer -export -out keys.pkcs12
keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore jenkins.jks
NOTE: the key to use for the merged.cer should be the same as <my private key file>
Then follow the Jenkins Wiki to use the KeyStore instead of the certificate
java -jar jenkins.war --httpPort=-1 --httpsPort=8080 --httpsKeyStore=/path/to/jenkins.jks --httpsPrivateKey=<my private key file>
I have a problem in regards to Tomcat 6 and certificates. The problem is somewhat similar to this: Tomcat HTTPS keystore certificate.
My task is to get a Jira installation running with an SSL certificate issued by a CA.
To make sure I have got the workflow right I have tried to create a certificate of my own the following way (this works):
Create 'my' keystore
Extract the certificate from the 'my' keystore
Import the extracted certificate into Java's \cacerts keystore.
This solution works fine - site can be accessed over SSL.
I assume the following can be done with my CA issued certificate, in the form of a pfx file.
I created a new keystore using this command:
keytool -importkeystore -srckeystore certificate.pfx -srcstoretype pkcs12 -destkeystore \mydest\keystore.jks -deststorepass changeit
When I list the contents of the new keystore.jks I get one entry; private key with a guid.
I extract the certificate from the keystore. In this operation I am unable to specify an alias.
I import the certificate into the \cacerts keystore.
I then list the concents of the \cacerts keystore and find my new entry. Instead of having a name, the entry is showing the same guid as from the initial (pfx) keystore.
I alter my server.xml file with the new alias (e.g. guid) and keystore file.
However - starting Tomcat gives this error:
Alias name {guid} does not identify a key entry
Question is:
Can a guid be a key name?
If not, what I am doing wrong? :)
I have tried both keystores in the server.xml file, without luck.
New info; when I execute this command I am able to find information regarding the certificate in the \cacerts file:
keytool -list -v -keystore \cacerts -alias {guid}
So it seems that the guid exists. However, Tomcat seems to be unable to find the same key.
Answer is 'yes'.
The origins of my problem was that I had the wrong password for the key from the pfx file. Using the following command I changed the password from the original one to a the standard password (I did this prior to exporting the certificate from the keystore created from the pfx file):
keytool -keypasswd -alias {guid}
Keytool then asked me for old password and new password.
I might have been able to add some sort of configuration in the server.xml file like 'keypassword', but I haven't looked into that.