Introduction
The following concepts are needed to fully understand this article.
Intermediate Certificate
An intermediate certificate is a subordinate certificate issued by the trusted root specifically to issue end-entity server certificates. The result is a certificate chain known as Chained Root Certificates or Chain of Trust.
- The client sends a request to the SSL server.
- The server responds with the
Identity
andIntermediate certificates
. - The client confirms authenticity of the
Intermediate certificate
by decrypting thedigital signature
using theRoot CA public key
. - Next the client confirms the authenticity of the
Identity certificate
by decrypting thedigital signature
using theIntermediates public key
. - The client then clarifies that the URL that is being requested by matching the DN (Distinguished Name) within the
Identity Certificate
. - Traffic is then encrypted/decrypted by a) the client using the public key b) the server using the private key.
Filename extensions for X.509 certificates
Common filename extensions for X.509 certificates:
-
.pem
??? (Privacy-enhanced Electronic Mail) Base64 encoded DER certificate, enclosed between “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” -
.cer
,.crt
,.der
??? usually in binary DER form, but Base64-encoded certificates are common too (see.pem
above) -
.p7b
,.p7c
??? PKCS#7 SignedData structure without data, just certificate(s) or CRL(s) -
.p12
??? PKCS#12, may contain certificate(s) (public) and private keys (password protected) -
.pfx
??? PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)
On the other hand,
.key
is a file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. It is
.pem
formatted.
Issue
- Installing SSL certificate chains in Jetty.
- How to publish Jenkins using HTTPS with an intermediate certificate.
- The Chained Root Certificates or Chain of Trust is broken.
Environment
- CloudBees Jenkins Enterprise
- CloudBees Operation Center
- Jenkins and the embedded Jetty HTTPS
Resolution
Requirements:
-
An exiting SSL cert for Jenkins - As example,
$MYJENKINS.pfx
but other formats are also possible. -
Identity Certificate
files also known as Domain Certificate -$IDENTITY.crt
. -
Intermediate Certificate
should have the same class as your Domain Certificate -$INTERMEDIATE.crt
. -
Root Certificate
-$ROOT.crt
Notes:
a. Any of the certificates (2, 3 and 4) start with ?????????BEGIN CERTIFICATE?????????. Please, make sure there is an end-of-line at the end of the file.
b. Certificates 3 and 4 should be available to download from your SSL Issuer.
Steps:
1. Extract the private key from your own SSL certificate into a
.key
file. By default, it is in
.pem
format so it needs to be converted into PKCS#12 because it is the format required by Jetty Winstone container.
openssl pkcs12 -nocerts -in $MYJENKINS.pfx -out $MYJENKINS.key
2.
cat
together all the certificates in the chain. Order is important.
cat $IDENTITY.crt $INTERMEDIATE.crt $ROOT.crt > $NAME.chain.txt
3. Combine certificates and private key into a
.p12
file.
openssl pkcs12 -export -inkey $MYJENKINS.key -in $NAME.chain.txt -out $NAME.chain.p12
4. Finally, create a keystore containing it all. Make sure the keystore file does not already exist.
keytool -importkeystore -srckeystore $NAME.chain.p12 -srcstoretype PKCS12 -destkeystore $MYJENKINS.keystore
5. Test that the 3 certificates are included into the keystore
keytool -list -v -keystore "/path/to/$MYJENKINS.keystore"
A similar output like this should be displayed on the Terminal:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: Jun 24, 2016
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=*.$YOUR_DOMAIN.com, ...
Issuer: CN=$YOUR_ISSUER Secure Certificate Authority ...
...
Certificate[2]:
Owner: CN=$YOUR_ISSUER Secure Certificate Authority ...
Issuer: CN=$YOUR_ISSUER Root Certificate Authority ....
...
Certificate[3]:
Owner: CN=$YOUR_ISSUER Root Certificate Authority ...
Issuer: CN=$YOUR_ISSUER Root Certificate Authority ...
...
Notes:
a. If you have set different Jenkins environments (for instance TEST, DEV and PROD), steps from 2 to 5 should be repeated in each of those environments.
b. The resulting
$MYJENKINS.keystore
file must then be copied to each of machines to the path specified by
--httpsKeyStore=/path/to/$MYJENKINS.keystore
parameter of the Jenkins Arguments.
References
- SSL Certificate Verification
- SSL certificate validation tool to check if The Chained Root Certificates or Chain of Trust is broken.
0 Comments