How to replace the self-signed certificate for BlackBerry Mobile Fusion Studio

• BlackBerry® Mobile Fusion Studio

During the installation of the BlackBerry® Mobile Fusion Studio, the installation process creates a self-signed certificate for the web service. The normal process would have the administrators view the self-signed certificate and use the browser to add the certificate to their local certificate keystore as a trusted certificate. However, some environments would prefer not to perform this step, and would rather to use a certificate signed by a trusted certificate authority.

There are some key factors to know ahead of time.

1. The BlackBerry Mobile Fusion Studio uses a Java® keystore, similar to the current functionality of the various BlackBerry Administration Service products currently available. This keystore is located in the installation location (defaults to C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio). If this service is installed on a 32-bit operating system, then the path may be C:\Program Files\Research In Motion\BlackBerry Mobile Fusion Studio. The keystore file is called BlackBerryMobileFusion.keystore.
2. The keystore file is protected by a password. This password is assigned during the installation process. The default during the installation is password, but the installation process forces the administrator to assign a different password. Knowledge of this password is required in order to proceed. The example here will assume that the password has been set to Passw0rd.
3. The location of where Java is installed is also key. By default, the installation process will install Java 1.6.0 into C:\Program Files (x86)\Java. For this example, jre1.6.0_31 was used. The Java keytool.exe is used to manage the keystore file, and in this example, is located at C:\Program Files (x86)\Java\jre1.6.0_31\bin.
4. Requirements for an SSL certificate from the Trusted Certificate Authority will be needed (see Task 2).
5. Private Key Size (some are 1024, most are 2048)
6. Key Algorithm (some require RSA)
7. Distinguished Name (items that may need to be provided into the -dname switch in Task 2. Do not prefix the fully qualified domain name with https://.

Task 1 - Delete the existing Self-Signed Certificate from the keystore

1. Open a Windows Command window as Administrator.
2. Navigate to the Java folder where keytool.exe resides.
   cd C:\Program Files (x86)\Java\jre1.6.0_31\bin
3. List the current contents of the keystore.
   keytool.exe -list -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio\BlackBerryMobileFusion.keystore" -storepass Passw0rd
4. Delete the self-signed certificate. The alias used is fusionssl.
   keytool.exe -delete -alias fusionssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio\BlackBerryMobileFusion.keystore" -storepass Passw0rd

Task 2 - Generate a new certificate with a private key

1. Reference the Certificate Authority for settings to use here.
2. While still in the same command window as in Task 1:
   keytool.exe -genkey -alias fusionssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio\BlackBerryMobileFusion.keystore" -storepass Passw0rd -dname "CN=bmfs.example.com, OU=BMFS, O=RIM, L=Waterloo, ST=ON, C=CA" -keyalg RSA -keysize 2048
   Enter key password for <fusionssl>
   (RETURN if same as keystore password):
3. This command may prompt to enter a password for this specific key. Enter a key password for this new key. The prompt as seen above allows to press the Enter or Return key to use the same password as the keystore password.

Task 3 - Generate a certificate request to be submitted to the Trusted Certificate Authority

1. Reference the Certificate Authority for settings to use here.
2. Create the certificate request
   keytool.exe -certreq -alias fusionssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio\BlackBerryMobileFusion.keystore" -storepass Passw0rd -keyalg RSA -keysize 2048 -file "c:\Downloads\bmfscertreq.csr"

Task 4 - Submit the request to the Trusted Certificate Authority. 

This process will assume an internal Microsoft Certificate Authority is being used

1. Connect to the certificate authority web service via a supported web browser.
   http://domaincontroller.example.com/certsrv
2. Click on Request a certificate
3. Click on Advanced certificate request
4. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
5. Open the certificate file generated from Task 3 with Notepad.
6. Copy the entire contents of the file except the last carriage return. Select the -- Begin -- to the -- End -- segments.
7. Paste the contents into the available box in the browser.
8. Select a Web Server Template from the template drop-down list.
9. In the Additional Attributes section, add any valid Subject Alternative Names with this format:
   dns=bmfs.example.com&dns=bmfsserver.example.com
   This is useful if the primary URL for the BlackBerry Mobile Fusion Studio is a DNS alias for a physical server name. It is best practices to load the first Subject Alternative Name to be the same name as the primary URL, and then load any physical server names as Fully Qualified Domain Names.
10. Click Submit.
11. Save the certificate.
    1. Select DER encoded.
    2. Click Download certificate.
    3. Save the certificate as bmfscert.cer, and save to a folder easily accessible by the command window session.
12. Save any root and intermediate certificate authority certificates.
    1. Click Home
    2. Click on Download a CA certificate, certificate chain, or CRL
    3. Click on Download a CA certificate
    4. Save the certificate as cacert.cer

 Task 5 - Import the certificates into the keystore

1. Import the Root Certificate Authority certificate into the keystore
   keytool.exe -import -alias cacert -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio\BlackBerryMobileFusion.keystore" -storepass Passw0rd -file "C:\Downloads\cacert.cer"
2. When prompted to Trust this certificate, enter Yes.
3. The response will be Certificate has been added to keystore
4. Import any Intermediate Certificate Authority certificates into the keystore with the same command as in step 1. However, use a different alias. A sample command would look like this:
   keytool.exe -import -alias cacert2 -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio\BlackBerryMobileFusion.keystore" -storepass Passw0rd -file "C:\Downloads\cacert2.cer"
5. Import the signed certificate response to match the certificate request generated in Task 3.
   keytool.exe -import -alias fusionssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Mobile Fusion Studio\BlackBerryMobileFusion.keystore" -storepass Passw0rd -file "C:\Downloads\bmfscert.cer"
6. The response will be Certificate Reply was installed in keystore

 Task 6 - Restart the BlackBerry Mobile Fusion Studio service

1. Open the Services applet
2. Locate the service BlackBerry Mobile Fusion Studio
3. Right-click on BlackBerry Mobile Fusion Studio service and select Restart

When re-running the BlackBerry Mobile Fusion Studio installer to load additional Mobile Device Management Domains, this process will not overwrite the keystore file. This process will only alter the addition or removal of specific certificates for those domains. The Domain Label is used as the alias in the keystore. However, if the administrator used the function of the installer to regenerate the BlackBerry Mobile Fusion Studio certificate, it will replace the fusionssl alias certificate with a new self-signed certificate. In this case, the steps listed in the Overview will need to be repeated.