Skip to main content
Code42 Support

Installing Your Own SSL Certificate For HTTPS Console Access

Applies to:
  • CrashPlan PROe

Overview

The enterprise server includes a self-signed SSL certificate that can be used for secure access to the administration console. While this approach is secure, accessing these applications with a web browser can result in security warnings.

To eliminate browser security warnings, you can install a certificate signed by a recognized certificate authority (CA). This is very similar to the process of installing an SSL certificate for a standard web server.

Certificate Configuration Process

The enterprise server accepts SSL certificates bundled together in a Java keystore file. The keystore contains:

  • The SSL certificate and private key for the enterprise server
  • A certificate for the CA that signed the enterprise server SSL certificate
  • Intermediate certificates that establish a chain of trust between the CA and the enterprise server SSL certificate

You must create the keystore using the external keytool utility or openssl utility before applying it to the enterprise server from the administration console.

Before You Begin

  • An enterprise server with an incorrectly configured keystore will not start. Verify you have all necessary intermediate certificates before building your keystore.
  • Verify that your private key or certificate is PEM-encoded.
  • Install the Java Development Kit (JDK), which provides the needed keytool utility. Although the keytool is also distributed with the Java Runtime Environment (JRE), the JRE may not add the keytool to the path variable.

Considerations

  • For multi-server Code42 environments, we recommend applying this process to all enterprise servers.
  • You must have the Administrator or SYSADMIN role to install an SSL certificate on your enterprise server.
  • This article assumes you are familiar with the following:
Need Assistance? 
Assistance with the handling of a certificate signing request (CSR) or creating your keystore are beyond the scope of Customer Championss. For assistance, please contact Sales.

Steps

Step 1: Build The Keystore

Building a Java keystore is the first step in configuring your enterprise server to use your own CA-signed SSL certificate. If you have an existing private key and corresponding X.509 certificate (referred to collectively as key materials), you can re-use them. You can also start from scratch, creating new key materials as needed. The steps are different, depending on what existing key materials you have:

Without Existing Key Materials

Follow this set of steps if you have no private keys or certificates from a CA and need to create them from scratch.

Keypass and Storepass Parameters
You must use the same password for the keystore and the private key. You may use any string you wish for these parameters, but they must both be set to the same value.
  1. Use the keytool utility to generate the Java keystore file (.jks) with a private key, along with a certificate signing request file (.csr).
    keytool -genkey -alias server -keyalg RSA -keysize 4096 -keystore fqdn_domain_com.jks -dname "CN=master-server.example.com,OU=Documentation, O=Code42 Software, L=Minneapolis, ST=Minnesota, C=US" && keytool -certreq -alias server -file fqdn_domain_com.csr -keystore fqdn_domain_com.jks
    • Replace fqdn_domain_com.jks with the name of the keystore file to create.
    • Replace the distinguished name string (dname) with values appropriate for your organization.
    • Replace fqdn_domain_com.csr with the name of the certificate signing request (CSR) file to create.
    • If you need additional guidance, use DigiCert's Java Keytool CSR Wizard to create the appropriate command for your environment.
  2. When prompted, enter a password for the keystore.
  3. When prompted, enter the same password for the private key.
  4. Submit the CSR to your certificate authority:
    • Submit the certificate request as a re-key (or a new request) to the certificate provider.
    • You will receive the new certificate along with intermediate certificates.
    • The CA should provide a PKCS#7 certificate or a sequence of X.509 certificates.
  5. Import the certificates from your certificate authority (CA) into the keystore:
    • If you received a PKCS#7 file, run the following command:
      ​keytool -import -trustcacerts -alias server -file your_site_name.p7b -keystore fqdn_domain_com.jks
    • If you received a sequence of X.509 certificates, import each certificate in order of root, intermediate, and server:
      ​keytool -import -trustcacerts -alias root -file root.crt -keystore fqdn_domain_com.jks
      ​keytool -import -trustcacerts -alias intermediate -file intermediate.crt -keystore fqdn_domain_com.jks
      ​keytool -import -trustcacerts -alias server -file server.crt -keystore fqdn_domain_com.jks
      
  6. Confirm the contents of the keystore file:
    keytool -list -v -keystore fqdn_domain_com.jks

Follow the instructions under Step 2: Configure Enterprise Server To Use Your Keystore to complete setup.

Re-Use Existing Key Materials (non-Windows)

Use this option if you wish to re-use an existing private key/certificate combination from another application and you are running on a platform other than Windows. These instructions assume that both your private key and certificate are PEM-formatted.

  1. Convert the PEM-formatted private key into a PKCS8-formatted key:
    openssl pkcs8 -topk8 -nocrypt -outform DER -in mykey.pem -out mykey.pkcs8
  2. Build a Java keystore from the PKCS8-formatted private key and PEM-formatted certificate. We provide a utility program called Keystore Builder to assist with this process.
    1. Compile Keystore Builder using the following command:
      javac KeystoreBuilder.java
      You must have a functioning Java Development Kit (JDK) installed in order to compile Keystore Builder.
    2. After Keystore Builder is compiled, run it to generate your keystore.
      • Usage:
        java KeystoreBuilder <private_key_file> <cert_file> <output_keystore> tomcat <password>
      • Example command:
        java KeystoreBuilder mykey.pkcs8 mycert.der keystore.jks tomcat somepassword

Follow the instructions under Step 2: Configure Enterprise Server To Use Your Keystore to complete setup.

Re-Use Existing Key Materials (Windows)

Follow these steps to re-use an existing private key/certificate combination from another application if you are running on Windows.

Key materials on Windows platforms are typically PKCS12-formatted and need to be converted to PEM in order to create the keystore. A PFX file, which is often used to define key information for IIS for Windows, is an example of a PKCS12-formatted file. You must first convert all keys and certificates to PKCS8 before building the keystore.

  1. Extract the certificate from the PKCS12-formatted file into a PEM-formatted certificate. Example command:
    openssl pkcs12 -clcerts -nokeys -in foo.pkcs12 -out mycert.pem
  2. Extract the private key from the PKCS12 file into a PEM-formatted private key. Example command:
    openssl pkcs12 -nodes -nocerts -in foo.pkcs12 -out mykey.pem
  3. Convert certificate from PEM to DER. Example command:
    openssl x509 -inform pem -in mycert.pem -outform DER > mycert.der
  4. Convert the PEM-formatted private key into a PKCS8-formatted key. Example command:
    openssl pkcs8 -topk8 -nocrypt -outform DER -in mykey.pem -out mykey.pkcs8
  5. Build a Java keystore from the PKCS8-formatted private key and DER-formatted certificate. We provide a utility program called Keystore Builder to assist with this process.
    1. Compile Keystore Builder using the following command:
      javac KeystoreBuilder.java
      You must have a functioning Java Development Kit (JDK) installed in order to compile Keystore Builder.
    2. After Keystore Builder is compiled, run it to generate your keystore.
      • Usage:
        java KeystoreBuilder <private_key_file> <cert_file> <output_keystore> tomcat <password>
      • Example command:
        java KeystoreBuilder mykey.pkcs8 mycert.der keystore.jks tomcat somepassword

Follow the instructions under Step 2: Configure Enterprise Server To Use Your Keystore to complete setup.

Step 2: Configure Enterprise Server To Use Your Keystore

  1. Sign in to the administration console.
  2. Go to Settings > Security > Keys.
  3. Click Import Keystore.
  4. Click Choose File.
  5. Navigate to the location where your keystore was saved and select your keystore.
  6. Enter your keystore Password.
  7. Click Save.
  8. Restart the enterprise server service.

Configuration Troubleshooting

The key creation and the conversion steps, which happen outside the administration console, are the most common sources of trouble in this process. We recommend these troubleshooting steps:

If you are still having trouble and would like configuration assistance, please contact Sales to discuss consulting options.

PEM Formatting

PEM-formatted keys and certificates can usually be identified by the distinct “BEGIN” and “END” blocks at the top and bottom of the file (respectively).

Example PEM-formatted private key:

-----BEGIN DSA PRIVATE KEY-----
MIIBvAIBAAKBgQDjfcGLU+2NKUidI0mQ7EfiEWCc2/QLDYwfyl6t3YMMVRePWYUz
Pjom3A98G8VEhE8i+Ry3VMjmrmeRTljORWh7drvA+R48QIUC0sKbHY0TjshpNKjC
WjAiMRMwEQYDVQQDDApTY290dCBQb3N0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMbaRZVgQw2NwsE3HmSpcYFiaQwe0dU5iESm
l0koBSvbIBkoFm2VGl7JTmRkORFXuoJuXaf7mLOJzq0DYtl5MR4c+UyjFeXGoKvJ
0Vwp9QKT+yVsCWghrBWQYj3myvrOGg0ydw6buDNIRYY71lYoVzQKw6NddseP3Gp9
4Pch6BKyAoGAGxqWTZsPe2lp/lz3LmmbpJoLRbE9OWBa5rVCuRM21qSRDDzQ0R4X
/cWW1kIC5n6NpVEMu+b70q3NyAK8AuFN+Ezfw+LgpvCI+Ae27bjj7AJxMD8161UG
e45Qiv20THFFqw/zP7DHG6tFdT06ss6xjw+ausphZGRhU8xBBR+NF3sCFQCiAvaI
xWsrP2Z1777gMC1rrOdhqg==
-----END DSA PRIVATE KEY-----


Example PEM-formatted certificate:

-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIBATALBgkqhkiG9w0BAQswIjETMBEGA1UEAwwKU2NvdHQg
UG9zdDELMAkGA1UEBhMCVVMwHhcNMTQwNTIxMTQxNDQzWhcNMTUwNTIxMTQxNDQz
WjAiMRMwEQYDVQQDDApTY290dCBQb3N0MQswCQYDVQQGEwJVUzCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAMbaRZVgQw2NwsE3HmSpcYFiaQwe0dU5iESm
l0koBSvbIBkoFm2VGl7JTmRkORFXuoJuXaf7mLOJzq0DYtl5MR4c+UyjFeXGoKvJ
BcT2OD345Z1puSSeKUjf1FkgNoPuw6MXK9niayRTaR5ydrVaUgholRwVVwij0Sn/
2Uyuc8LHEXKUeseOZT+ygIsMib44meW4uvvhLqfmu07MMZgEJdw3GlaQ/bBHB4AJ
I3LQ2v8oVhINHVoTMHO7kQyVmwuTuW0F9JEO9jGAoqq9fdEWdBnnJ7gC3oCFYvb8
ia0dwI7bhUGimxIEwR1umKN/1y63rxYonsXYoi4enCghABs8VzECAwEAAaMqMCgw
DgYDVR0PAQH/BAQDAgeAMBYGA1UdJQEB/wQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3
DQEBCwUAA4IBAQCQ/LJxOOPLMKowKJEMfzX7FMlspGF2mJVFXeRM8tXHBdJ6/Q6s
towoHvuxGhB87dRK3jVxGGfkPzGTHok2iVwX5SW17E16nXxjNQsiqqkapU1ap2wl
YTkl0Acwj/5yDNX3nzayHRl6c56JnVVGMNFKbuXVfWzSUGIE6eo+k/2bMI6/d5iW
7MZW1r7iLIEvJulSwIuWpVpYSwdM2Y2y+5w5FWB5PpJsIVzXKx2loQRC/6qGpnGO
iMUVZYAteonuFPUJzERBMWTwK8AX/pMWEqI0yfMgxXHTpjjw0G8eUeOp+u61wBJY
t1odPTVnT0SEqbLWbc0JUgfoF05kaf2rZCD8
-----END CERTIFICATE-----

External Resources