Hello David;
As far as I known the JKS keystore format maintain a link between private
keys and certificate chains. Maybe, when you imported your certificate, the
link between the key and the previously created self-signed certificate was
not updated. What does the command "keytool -list -v -keystore
myKeyStore.jks" return?
To create a new keystore containing only the key and the CA signed
certificate (and maybe additional sub-CA certificates if required) you
should:
1. export you keystore the PKCS12 format:
keytool -importkeystore -srckeystore myKeyStore.keystore -destkeystore
myKeyStore.p12 -deststoretype PKCS12 -srcstorepass myPassword
-deststorepass myPassword
2. extract the key in PKCS8 format with openssl:
openssl pkcs12 -in myKeyStore.p12 -nodes
The private key in encoded with PEM (base64) starts with -----BEGIN RSA
PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
3. create a new PKCS12 file with openssl
openssl pkcs12 -export -in jenkins-cert.pem -inkey jenkins-key.pem
-name "friendly name" -out jenkins.p12
Optionally (I'm not sure whether Jenkins accepts PKCS12 encoded keystores)
you can re-encode this PKCS12 file into JKS format with the
"importkeystore" keytool command.
Hope this helps
--
JC
Le mardi 26 février 2013 09:14:38 UTC+1, David Doughty a écrit :
>
> hi JC,
>
> I created the keystore with the self certified key a couple of weeks ago
> when I installed jenkins, and then generated a CSR. The root/intermediate
> and private key for the machine have been loaded into the same keystore.
>
> Jenkins is currently started with the following command
>
> java $JAVA_OPTS -jar $JENKINS_HOME/jenkins.war --prefix=$JENKINS_PREFIX
> --controlPort=$JENKINS_CONTROL_PORT --httpPort=$JENKINS_HTTP_PORT
> --ajp13Port=$JENKINS_AJP_PORT --httpsPort=$JENKINS_HTTPS_PORT
> --httpsKeyStore=$KEYSTORE --httpsKeyStorePassword=$KEYSTORE_PASSWORD
> --logfile=$LOGFILE &
>
> the variables are set as
>
> export JENKINS_PREFIX="/jenkins"
> export JENKINS_HOST="gbrpsr000000408"
> export JENKINS_CONTROL_PORT="8001"
> export JENKINS_HTTP_PORT="-1"
> export JENKINS_HTTPS_PORT=8444
> export KEYSTORE=/opt/jenkins/keystore/scmrm.jks
> export KEYSTORE_PASSWORD="Key\$t0re"
> export JENKINS_AJP_PORT="-1"
> export LOGFILE=$JENKINS_HOME/logs/access_`date +"%Y%m-%d"`.log
> export JAVA_OPTS="-Djava.awt.headless=true -XX:PermSize=512M
> -XX:MaxPermSize=2048M -Xmn128M -Xms1024M -Xmx2048M"
>
>
>
>
>
> On Monday, 25 February 2013 17:20:49 UTC, jcsirot wrote:
>>
>> Hello David,
>>
>> Can you give us more details on how you installed your keystore? Did you
>> have a single keystore containing both self-signed and CA issued
>> certificates? What params did you pass to Jenkins at start-up?
>>
>> --
>> JC
>>
>> Le lundi 25 février 2013 17:11:24 UTC+1, David Doughty a écrit :
>>>
>>> I've beening running jenkins 1.466.12.1 as jenkins on RHEL6.2 (we don't
>>> have root access), under https for a few weeks now, using a self signed
>>> certificate, no problems, other than than the issues for end users and
>>> their browsers. We have now been issued an offical certificate CA chain
>>> root-intermediate-server from our security team.
>>>
>>> Now the fun begins...
>>>
>>> At the moment I don't seem to be able to get Jenkins to recognize the
>>> official certificates at all; it only appears to start up with a keystore
>>> with the self signed certificate present, which is the only certificate
>>> presented to the client browser.
>>>
>>>
>>> https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins<
>>> at the bottom of this article it states - If your keystore contains
>>> multiple certificates (e.g. you are using CA signed certificate) Jenkins
>>> might end-up using a incorrect one. In this case you can convert the
>>> keystore to
>>> PEM<http://stackoverflow.com/questions/7528944/convert-ca-signed-jks-keystore-to-pem>and
>>> use following command line options.
>>>
>>> Yes, we use a CA signed certificate, and I'm not sure how it might
>>> decide to use the incorrect one......
>>>
>>> So, I've tried the link, which takes me to stackoverflow, and get as far
>>> as java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key <
>>> which falls over with a java nullpoint execption....
>>>
>>> Does anyone else have a similar experience or is this something I have
>>> to work though independently, and why does Jenkins have a problem with
>>> keystores, and why cant it be fixed?
>>>
>>> thanks
>>>
>>> dD
>>>
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to jenkinsci-users+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
