Importing Self Signed Certificates

keriburke edited this page Nov 17, 2017 · 12 revisions
Clone this wiki locally

This page covers adding certificates to the Java cacerts keystore.

Importing Self-Signed Certificates

Some TFS, Bugzilla and JIRA installations may use self-signed certificates. If they do, then in order for these components to work with ThreadFix, you will need to add the certificate to the Java keystore.

Obtaining the certificate

Using Firefox

First, you need to obtain the certificate. The easiest way to do this is to open a link to the Defect Tracker server in Firefox, then click

  1. "I Understand the Risks" text
  2. "Add Exception..." button
  3. "View..." button
  4. "Details" tab
  5. "Export..." button

Pick a location on your file system and you should be done.

Using OpenSSL

Another method to get the certificate on a headless server is through openssl:

openssl s_client -connect ${HOST}:${PORT} > certfile

Root Certificate Authorities (CAs)

For some root or intermediate CAs the steps may vary. On our Active Directory Certificate Services server, the root CA was found at http://<host-name>/certsrv/certcarc.asp and there was a link to download the .cer file with the text "Download CA certificate".

Root CAs will allow ThreadFix to talk to all sites with certificates pointing to the root CA. So if your company has a root CA that all of its internal servers use, import that root CA to the Java keystore with the steps below and ThreadFix shouldn't run into this problem for any of your servers.

Adding the Certificate to the Java Keystore

Next we'll use the keytool program to import the certificate.

The keytool is found in either {JDK_HOME}/jre/bin or {JRE_HOME}/bin, for JDKs and JREs respectively. Its cacerts store will usually be in {JRE_HOME}/lib/security. Note that the ThreadFix zip distribution uses a JRE, and its keytool is located in /path/to/threadfix/java/bin. The correct ThreadFix zip cacerts store is at /path/to/threadfix/java/lib/security/cacerts.

Once the tool is located, the command is:

keytool -import -alias {your domain alias} -file /path/to/downloaded_cert -keystore /path/to/cacerts

The keytool will ask you for a password (default is "changeit") and ask whether you want to trust the cert. Enter "y" when prompted.

The cacerts file is located by default at /System/Library/Frameworks/JavaVM.framework/Home/lib/security on a Mac OS X system, and /path/to/JRE/lib/security on Linux and Windows.

You may also need to restart tomcat, if you have already started it.

NB: If restarting tomcat isn't sufficient, you might have to specify where your keystore is by adding these parameters to your tomcat startup:

-Djavax.net.ssl.trustStore=/path/to/keystore -Djavax.net.ssl.trustStorePassword=<keystore_password>