Hi JC, Thanks for the reply, and my apologies, I've had some other issues to deal with for a couple of weeks.
Uunfortunately I cant supply the content of a production keystore on an open forum, but it does appear to have all the certificates, I note hwoever that the private self certified certificate has a chain length of 1 Alias name: gbrpsr000000711 Creation date: 25-Feb-2013 Entry type: PrivateKeyEntry Certificate chain length: 1 Not sure if that is relevant, but I'll take a look at your suggestions in more details. Thanks again for you help dD From: jenkinsci-users@googlegroups.com [mailto:jenkinsci-users@googlegroups.com] On Behalf Of jcsirot Sent: 27 February 2013 09:31 To: jenkinsci-users@googlegroups.com Subject: Re: jenkins/winstone running under https Hello David; As far as I known the JKS keystore format maintain a link between private keys and certificate chains. Maybe, when you imported your certificate, the link between the key and the previously created self-signed certificate was not updated. What does the command "keytool -list -v -keystore myKeyStore.jks" return? To create a new keystore containing only the key and the CA signed certificate (and maybe additional sub-CA certificates if required) you should: 1. export you keystore the PKCS12 format: keytool -importkeystore -srckeystore myKeyStore.keystore -destkeystore myKeyStore.p12 -deststoretype PKCS12 -srcstorepass myPassword -deststorepass myPassword 2. extract the key in PKCS8 format with openssl: openssl pkcs12 -in myKeyStore.p12 -nodes The private key in encoded with PEM (base64) starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY----- 3. create a new PKCS12 file with openssl openssl pkcs12 -export -in jenkins-cert.pem -inkey jenkins-key.pem -name "friendly name" -out jenkins.p12 Optionally (I'm not sure whether Jenkins accepts PKCS12 encoded keystores) you can re-encode this PKCS12 file into JKS format with the "importkeystore" keytool command. Hope this helps -- JC Le mardi 26 février 2013 09:14:38 UTC+1, David Doughty a écrit : hi JC, I created the keystore with the self certified key a couple of weeks ago when I installed jenkins, and then generated a CSR. The root/intermediate and private key for the machine have been loaded into the same keystore. Jenkins is currently started with the following command java $JAVA_OPTS -jar $JENKINS_HOME/jenkins.war --prefix=$JENKINS_PREFIX --controlPort=$JENKINS_CONTROL_PORT --httpPort=$JENKINS_HTTP_PORT --ajp13Port=$JENKINS_AJP_PORT --httpsPort=$JENKINS_HTTPS_PORT --httpsKeyStore=$KEYSTORE --httpsKeyStorePassword=$KEYSTORE_PASSWORD --logfile=$LOGFILE & the variables are set as export JENKINS_PREFIX="/jenkins" export JENKINS_HOST="gbrpsr000000408" export JENKINS_CONTROL_PORT="8001" export JENKINS_HTTP_PORT="-1" export JENKINS_HTTPS_PORT=8444 export KEYSTORE=/opt/jenkins/keystore/scmrm.jks export KEYSTORE_PASSWORD="Key\$t0re" export JENKINS_AJP_PORT="-1" export LOGFILE=$JENKINS_HOME/logs/access_`date +"%Y%m-%d"`.log export JAVA_OPTS="-Djava.awt.headless=true -XX:PermSize=512M -XX:MaxPermSize=2048M -Xmn128M -Xms1024M -Xmx2048M" On Monday, 25 February 2013 17:20:49 UTC, jcsirot wrote: Hello David, Can you give us more details on how you installed your keystore? Did you have a single keystore containing both self-signed and CA issued certificates? What params did you pass to Jenkins at start-up? -- JC Le lundi 25 février 2013 17:11:24 UTC+1, David Doughty a écrit : I've beening running jenkins 1.466.12.1 as jenkins on RHEL6.2 (we don't have root access), under https for a few weeks now, using a self signed certificate, no problems, other than than the issues for end users and their browsers. We have now been issued an offical certificate CA chain root-intermediate-server from our security team. Now the fun begins... At the moment I don't seem to be able to get Jenkins to recognize the official certificates at all; it only appears to start up with a keystore with the self signed certificate present, which is the only certificate presented to the client browser. https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins < at the bottom of this article it states - If your keystore contains multiple certificates (e.g. you are using CA signed certificate) Jenkins might end-up using a incorrect one. In this case you can convert the keystore to PEM<http://stackoverflow.com/questions/7528944/convert-ca-signed-jks-keystore-to-pem> and use following command line options. Yes, we use a CA signed certificate, and I'm not sure how it might decide to use the incorrect one...... So, I've tried the link, which takes me to stackoverflow, and get as far as java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key < which falls over with a java nullpoint execption.... Does anyone else have a similar experience or is this something I have to work though independently, and why does Jenkins have a problem with keystores, and why cant it be fixed? thanks dD -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com<mailto:jenkinsci-users+unsubscr...@googlegroups.com>. For more options, visit https://groups.google.com/groups/opt_out. This e-mail and any attachments are confidential and intended solely for the addressee and may also be privileged or exempt from disclosure under applicable law. If you are not the addressee, or have received this e-mail in error, please notify the sender immediately, delete it from your system and do not copy, disclose or otherwise act upon any part of this e-mail or its attachments. Internet communications are not guaranteed to be secure or virus-free. The Barclays Group does not accept responsibility for any loss arising from unauthorised access to, or interference with, any Internet communications by any third party, or from the transmission of any viruses. Replies to this e-mail may be monitored by the Barclays Group for operational or business reasons. Any opinion or other information in this e-mail or its attachments that does not relate to the business of the Barclays Group is personal to the sender and is not given or endorsed by the Barclays Group. Barclays Bank PLC. Registered in England and Wales (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom. Barclays Bank PLC is authorised and regulated by the Financial Services Authority. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
