Home  Support   BlackBerry Knowledge Base  

How to replace the self-signed certificate for Universal Device Service console

Article ID: KB31084

Type: Support Content

Last Modified: 01-14-2013

 

Product(s) Affected:

  • Universal Device Service
Jump to: Environment | Overview
CollapseEnvironment
  • Universal Device Service
CollapseOverview

During the installation of the Universal Device Service, the installation process creates a self-signed certificate to support SSL communications with a web browser and the administrative console. This certificate is created following the SHA-2 security standards using Java 7. This certificate is not the same as the certificates used for the Communication or Core modules, and is also not the same as the Apple Push Notification Service certificate. This SSL certificate is stored in the Java keystore similar to other BlackBerry Administration Service console products. Administrators accessing the Universal Device Service administrative console can either import the self-signed certificate, or administrators can choose to replace the self-signed certificate with one issued by a trusted Certificate Authority.

Some key factors to know ahead of time:

  • The Java Keytool is located (by default) at : C:\Program Files (x86)\Research In Motion\Universal Device Service\RIM.BUDS.Gui\jre\bin
  • The certificate keystore is located (by default) at : C:\Program Files (x86)\Research In Motion\Universal Device Service\RIM.BUDS.Gui\ssl
  • The keystore used to store the certificate is keystore with no extension.
  • These steps assume that the keystore password is password, and that the new keypair password will be password.
  • Requirements for a Webserver SSL certificate from the Trusted Certificate Authority will be needed (see Task 2), like Private Key Size, Key Algorithm (RSA), and Distinguished Name.

 

Task 1 - Delete the existing Self-Signed Certificate from the keystore

  1. Open a Command Window as Administrator.
  2. Navigate to the folder where the certificate keystore is located.
    cd "C:\Program Files (x86)\Research In Motion\Universal Device Service\RIM.BUDS.Gui\ssl"
  3. Backup the keystore file.
  4. List the contents of the keystore file:
    ..\jre\bin\keytool.exe -list -keystore keystore -v -storepass password

    An example output is displayed here:

    Keystore type: JKS
    Keystore provider: SUN
    Your keystore contains 2 entries
    buds.gui.sslcert, Aug 11, 2012, trustedCertEntry,
    Certificate fingerprint (SHA1): 7B:45:8F:2C:F2:FF:AF:3A:8F:8B:1E:D0:2C:12:83:3F:1D:F3:77:E0
    buds.gui.ks.tomcat, Aug 11, 2012, PrivateKeyEntry,
    Certificate fingerprint (SHA1): F4:24:8E:B7:3C:91:18:87:53:5A:8F:05:ED:F0:47:28:98:BB:BB:51
  5. Delete the self-signed certificate with the alias of buds.gui.ks.tomcat:
    ..\jre\bin\keytool.exe -delete -alias buds.gui.ks.tomcat -keystore keystore -storepass password -v
  6. List the keystore file to ensure it is only has one reference (for buds.gui.sslcert).
    ..\jre\bin\keytool.exe -list -keystore keystore -v -storepass password

Task 2 - Generate a new certificate with a private key

  1. Reference the Trusted Certificate Authority for settings to use here.
  2. While still in the same command window as in Task 1:
    ..\jre\bin\keytool.exe -genkeypair -alias bugs.gui.ks.tomcat -dname "cn=fqdn_of_server.example.com, ou=OU_Info, o=UDS, l=City, s=State, c=US" -keypass password -keyalg RSA -keysize 2048 -keystore "<keystore cert file path>" -storepass password -validity 180
    Enter key password for
    (Return if same as keystore password):
  3. This command will prompt to enter a password for this specific key. By pressing Enter or Return, the command will use the same password for this entry as the keystore password.

Task 3 - Generate a certificate request to be submitted to the Trusted Certificate Authority

  1. Reference the Certificate Authority for settings to use here.
  2. Create the certificate request:
    ..\jre\bin\keytool.exe -certreq -alias buds.gui.ks.tomcat -keypass password -keystore keystore -storepass password -keyalg RSA -keysize 2048 -file "c:\Users\svc_uds\Desktop\GUICert.req"

Task 4 - Submit the request to the Trusted Certificate Authority.

This process will assume an internal Microsoft Certificate Authority is being used

  1. Connect to the certificate authority web service via a supported web browser.
    http://domaincontroller.example.com/certsrv
  2. Click on Request a certificate
  3. Click on Advanced certificate request
  4. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
  5. Open the certificate file generated from Task 3 with Notepad.
  6. Copy the entire contents of the file except the last carriage return. Select the -- Begin -- to the -- End -- segments.
  7. Paste the contents into the available box in the browser.
  8. Select a Web Server Template from the template drop-down list.
  9. In the Additional Attributes section, add any valid Subject Alternative Names with this format (should include the name used in the CN= section of Task 2) :
    dns=udsserver.example.com&dns=fqdn_of_uds_server.example.com
    This is useful if the primary URL for the BlackBerry Mobile Fusion Studio is a DNS alias for a physical server name. It is best practices to load the first Subject Alternative Name to be the same name as the primary URL, and then load any physical server names as Fully Qualified Domain Names. Do not prefix with http.
  10. Click Submit.
  11. Save the certificate.
    1. Select DER encoded.
    2. Click Download certificate.
    3. Save the certificate as udsbascert.cer, and save to a folder easily accessible by the command window session.
  12. Save any root and intermediate certificate authority certificates.
    1. Click Home
    2. Click on Download a CA certificate, certificate chain, or CRL
    3. Click on Download a CA certificate
    4. Save the certificate as udsbasrootcacert.cer

Task 5 - Import the certificates into the keystore

  1. Import the Root Certificate Authority certificate into the keystore
    ..\jre\bin\keytool -import -alias cacert -keystore keystore -storepass password -file "c:\Downloads\udsbasrootcacert.cer"
  2. When prompted to Trust this certificate, enter Yes.
  3. The response will be Certificate has been added to keystore
  4. Import any Intermediate Certificate Authority certificates into the keystore with the same command as in step 1. However, use a different alias. A sample command would look like this:
    ..\jre\bin\keytool -import -alias cacert2 -keystore keystore -storepass password -file "C:\Downloads\rootcacert2.cer"
  5. Import the signed certificate response to match the certificate request generated in Task 3.
    ..\jre\bin\keytool -import -alias buds.gui.ks.tomcat -keystore keystore -storepass password -file "C:\Downloads\udsbascert.cer"
  6. The response will be Certificate Reply was installed in keystore

Task 6 - Restart the BlackBerry services

  1. Open the Services applet
  2. Locate the service BlackBerry Administration Console
  3. Right-click on BlackBerry Administration Console service and select Stop
  4. Right-click on BlackBerry Scheduler service and select Stop
  5. Right-click on BlackBerry Web Services service and select Stop
  6. Start these same services in order.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.