Hello David;
As far as I known the JKS keystore format maintain a link between private
keys and certificate chains. Maybe, when you imported your certificate, the
link between the key and the previously created self-signed certificate was
not updated. What does the command "keytool -list -v -keystore
myKeyStore.jks" return?
To create a new keystore containing only the key and the CA signed
certificate (and maybe additional sub-CA certificates if required) you
should:
1. export you keystore the PKCS12 format:
keytool -importkeystore -srckeystore myKeyStore.keystore -destkeystore
myKeyStore.p12 -deststoretype PKCS12 -srcstorepass myPassword
-deststorepass myPassword
2. extract the key in PKCS8 format with openssl:
openssl pkcs12 -in myKeyStore.p12 -nodes
The private key in encoded with PEM (base64) starts with -----BEGIN RSA
PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
3. create a new PKCS12 file with openssl
openssl pkcs12 -export -in jenkins-cert.pem -inkey jenkins-key.pem
-name "friendly name" -out jenkins.p12
Optionally (I'm not sure whether Jenkins accepts PKCS12 encoded keystores)
you can re-encode this PKCS12 file into JKS format with the
"importkeystore" keytool command.
Hope this helps
--
JC
Le mardi 26 février 2013 09:14:38 UTC+1, David Doughty a écrit :
>
> hi JC,
>
> I created the keystore with the self certified key a couple of weeks ago
> when I installed jenkins, and then generated a CSR. The root/intermediate
> and private key for the machine have been loaded into the same keystore.
>
> Jenkins is currently started with the following command
>
> java $JAVA_OPTS -jar $JENKINS_HOME/jenkins.war --prefix=$JENKINS_PREFIX
> --controlPort=$JENKINS_CONTROL_PORT --httpPort=$JENKINS_HTTP_PORT
> --ajp13Port=$JENKINS_AJP_PORT --httpsPort=$JENKINS_HTTPS_PORT
> --httpsKeyStore=$KEYSTORE --httpsKeyStorePassword=$KEYSTORE_PASSWORD
> --logfile=$LOGFILE &
>
> the variables are set as
>
> export JENKINS_PREFIX="/jenkins"
> export JENKINS_HOST="gbrpsr000000408"
> export JENKINS_CONTROL_PORT="8001"
> export JENKINS_HTTP_PORT="-1"
> export JENKINS_HTTPS_PORT=8444
> export KEYSTORE=/opt/jenkins/keystore/scmrm.jks
> export KEYSTORE_PASSWORD="Key\$t0re"
> export JENKINS_AJP_PORT="-1"
> export LOGFILE=$JENKINS_HOME/logs/access_`date +"%Y%m-%d"`.log
> export JAVA_OPTS="-Djava.awt.headless=true -XX:PermSize=512M
> -XX:MaxPermSize=2048M -Xmn128M -Xms1024M -Xmx2048M"
>
>
>
>
>
> On Monday, 25 February 2013 17:20:49 UTC, jcsirot wrote:
>>
>> Hello David,
>>
>> Can you give us more details on how you installed your keystore? Did you
>> have a single keystore containing both self-signed and CA issued
>> certificates? What params did you pass to Jenkins at start-up?
>>
>> --
>> JC
>>
>> Le lundi 25 février 2013 17:11:24 UTC+1, David Doughty a écrit :
>>>
>>> I've beening running jenkins 1.466.12.1 as jenkins on RHEL6.2 (we don't
>>> have root access), under https for a few weeks now, using a self signed
>>> certificate, no problems, other than than the issues for end users and
>>> their browsers. We have now been issued an offical certificate CA chain
>>> root-intermediate-server from our security team.
>>>
>>> Now the fun begins...
>>>
>>> At the moment I don't seem to be able to get Jenkins to recognize the
>>> official certificates at all; it only appears to start up with a keystore
>>> with the self signed certificate present, which is the only certificate
>>> presented to the client browser.
>>>
>>>
>>> https://wiki.jenkins-ci.org/display/JENKINS/Starting+and+Accessing+Jenkins<
>>> at the bottom of this article it states - If your keystore contains
>>> multiple certificates (e.g. you are using CA signed certificate) Jenkins
>>> might end-up using a incorrect one. In this case you can convert the
>>> keystore to
>>> PEM<http://stackoverflow.com/questions/7528944/convert-ca-signed-jks-keystore-to-pem>and
>>> use following command line options.
>>>
>>> Yes, we use a CA signed certificate, and I'm not sure how it might
>>> decide to use the incorrect one......
>>>
>>> So, I've tried the link, which takes me to stackoverflow, and get as far
>>> as java ExportPriv <keystore> <alias> <password> > exported-pkcs8.key <
>>> which falls over with a java nullpoint execption....
>>>
>>> Does anyone else have a similar experience or is this something I have
>>> to work though independently, and why does Jenkins have a problem with
>>> keystores, and why cant it be fixed?
>>>
>>> thanks
>>>
>>> dD
>>>
>>>
>>>
--
You received this message because you are subscribed to the Google Groups
"Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
