How to replace a self-signed SSL certificate with a custom certificate after the installation of BlackBerry Device Service 6.2

Article ID: KB32802

Type: Support Content

Last Modified: 06-06-2013

 

Product(s) Affected:

  • BlackBerry Device Service
Jump to: Environment | Overview
CollapseEnvironment
  • BlackBerry Device Service 6.2
  • BlackBerry Administration Service
CollapseOverview

Log into the server as the BlackBerry Enterprise Server service account and complete the following tasks to replace the self-signed Secure Socket Layer (SSL) certificate used by the BlackBerry Administration Service and the BlackBerry Web Desktop Manager with a custom certificate (such as one from VeriSign or from a Windows certificate authority):

Task 1 - Retrieve the keystore password

  1. Log in to the BlackBerry Administration Service as an administrator with Security Administrator role.
  2. Click BlackBerry Solution topology > BlackBerry Domain > Component view > BlackBerry Administration Service.
  3. In the Security Settings, check the value for Default password to encrypt the web.keystore file and note it.

Task 2 - Back up the web.keystore file

  1. Open a Windows Command prompt as an Administrator.
  2. Type copy "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\BAS\bin\web.keystore" "c:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore.OLD"

Note: Do not remove or rename the existing web.keystore file.


Task 3 - Delete the self-signed SSL certificate from inside the keystore file

  1. Open a Command prompt as an Administrator.
  2. Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>"

Note: the -storepass parameter must be the password retrieved from Task 1. The quotes are required due to special characters.


Task 4 - Generate the BlackBerry Administration Service certificate key pair

  • Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool.exe" -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -storepass "<password>" -dname "CN=<BAS Server or BAS Pool full name>, OU=BAS, O=Company, L=City, ST=ST, C=US"

Note: Some Certificate Authority (CA) servers require RSA encryption of the certificate request. If this is the case, add -keyalg RSA to this keytool command. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048

STOP: After following this step, the web.keystore file now contains a private key entry. This exact private key MUST be matched with the reply generated from the Certificate Authority below in order for this process to succeed. It is highly recommended that the web.keystore file be backed up after this step has been performed, so that this private key is retained. If this is not done, and any of the following steps are not successful, then it will be necessary to clear out the keystore and start again from Task 1. This is especially important to note for environments with manual certificate request processes.


Task 5 - Generate a certificate request to the certification authority

  • Type "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<password>"

Note: If the -keyalg switch was used in Task 3 for a CA that requires RSA encryption, it is recommended to also use it here. Also, the -keyalg RSA switch defaults to 1024 as a keysize. For environments that require 2048 as a keysize, use the -keysize 2048 command switch. e.g. -keyalg RSA -keysize 2048

  • "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certreq.csr" -storepass "<password>" -keyalg RSA -keysize 2048

Task 6 - Request the certificate from the certificate authority (CA)

Note: The steps in this task are based on the steps required to request a certificate from a Windows certificate authority. If requesting a certificate from a third-party certificate authority, see the Additional Information section below. Domain administrator permission is required to complete this task.

  1. Log off the server as the BlackBerry Enterprise Server service account.
  2. Log into the server with a domain account with domain administrator permissions or permissions to submit a webserver template request.
  3. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://>certificate_server_name</certsrv)
  4. Click Request a certificate.
  5. Click Advanced certificate request.
  6. Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS#7 file.
  7. Paste the full contents of the certreq.csr file into the Saved Request field.
  8. Choose Web Server from the Certificate Template drop-down list.
  9. Click Submit.
  10. Click Download certificate.
  11. Save the file to c:\bascert.cer when prompted.

Note: If the error The certificate is not valid for the requested usage appears, choose Subordinates Certification Authority from the Certificate Template drop-down list instead of Web Server.


Task 7 - Download the CA certificate from the certificate authority

  1. Browse to the organization's certificate server using Windows Internet Explorer. (For example: http://>certificate_server_name</certsrv)
  2. Click Download a CA certificate, certificate chain, or CRL.
  3. Click Download CA certificate. save it as c:\certnewCA.cer

Task 8 - Import the CA certificate into the BlackBerry Administration Service key store

  1. Log off the server as the domain account used in Tasks 6 and 7 above to request the certificate from the certificate authority (CA).
  2. Log onto the server as BlackBerry Enterprise Service service account.
  3. Open a command prompt window as Administrator in the same manner as used in Task 2.
  4. Type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA.cer" -storepass "<password>"

If the BlackBerry Administration Service certificate is issued by an Intermediate CA, perform step 4 to import certificates of every Intermediate CA in the certificate chain. Use a unique alias name for every imported certificate. If the error keytool error: java.lang.Exception: Failed to establish chain from reply is displayed when performing Task 9 below, this step needs to be completed.

To import an Intermediate Certificate Authority certificate:
"c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias cacert2 -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\certnewCA2.cer" -storepass "<password>"


Task 9 - Import the BlackBerry Administration Service certificate to the BlackBerry Administration Service key store

  • In the command prompt window used in Task 8, type: "c:\Program Files\Java\jre1.6.0_31\bin\keytool" -import -alias httpssl -keystore "C:\Program Files (x86)\Research in Motion\BlackBerry Device Service\BAS\bin\web.keystore" -file "C:\bascert.cer" -storepass "<password>"

Task 10 - Restart the BlackBerry Administration Service

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.