Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

BlackBerry® Enterprise Service 10

Reply
Contributor
dcolpitts
Posts: 19
Registered: ‎09-14-2010
My Device: Z10 & 9780

HOWTO: Replace self-signed BES 10.1 SSL Certificates with a GoDaddy Wildcard Certificate

Blackberry's documentation is seriously lacking on how to replace the self-signed BES 10.1 SSL certificates, and even with what they do provide, they don't explain how to change all four web interfaces, but rather only Administration Console for BlackBerry Device Service, BlackBerry Management Studio, BlackBerry Web Desktop Manager.  Then - they also don't explain how to create the necessary httpssl alias in the keystore file, and there is no way (that I know of that is documented) to replace the certificate for the Administration Console for Universal Device Service in 10.1.

 

So - having said that - I ended up writing the necessary documentation for my support team to replace self-signed BES 10.1 SSL Certificates with a GoDaddy Wildcard Certificate for all four consoles.  We maintain 25+ BES 10 servers for our customers, and they all have their own GoDaddy Wildcard Certificate that we like to use for everything.

 

Follow these instructions at your own risk - they worked for us, but your results may vary.  I will accept NO RESPONSIBLITY if you fubar your BES 10.1 server.  If it is virtualized - be sure to take a snapshot before continuing.

 

dcc

 


 

 

HOWTO:  Replace self-signed BES 10.1 SSL Certificates with a GoDaddy Wildcard Certificate

 

1.)    Open the “Administration Console for BlackBerry Device Service” and log in as admin or a user that has the role of Security Administrator

2.)    Navigate to “Server and Components” --> “Blackberry Domain” --> “Component View” --> “Blackberry Administration Service”

3.)    Note the “default password to encrypt the web.keystore file” under Security Settings – this will be the %keystorepassword% variable

4.)    Export the GoDaddy wildcard SSL certificate to C:\DL\wildcard.pfx with the private key, and the private key password must be the %keystorepassword% variable

5.)    Open a command prompt and run the following command:

 

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore "C:\dl\wildcard.pfx" -rfc -storetype pkcs12 -storepass “%keystorepassword%”          (replace %keystorepassword% with the actual password)

 

6.)    Note the Alias  – this will be the %wildcardalias% variable

7.)    Ensure both “C:\DL\SSL CAs\GoDaddy\gd-class2-root.crt” and "C:\DL\SSL CAs\GoDaddy\gd_intermediate.crt" exists before continuing

8.)    If possible, shutdown the BES 10.1 server and take a snapshot before continuing

9.)    From the command prompt, run the following commands (be sure to adjust the variables as required)

 

rem - set variables from steps 3 and 6 above

set keystorepassword="xxxxxxxxxxx"

set wildcardalias="xxxxxxxxxxxxxxxxxxxxxxxxxxxx"

 

rem - backup BES10 certificate - do not overwrite the original without prompting, then create a copy to work from

copy "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\Certs\BES10\keystore" "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\Certs\BES10\keystore_org.back"

copy /y "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\Certs\BES10\keystore" "C:\DL\keystore_bes10.jks"

 

rem - verify we can read the keystore (there should be 2 entries after this step -httpssl and uds-ca)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -rfc -storepass %keystorepassword% -keystore "C:\DL\keystore_bes10.jks"

ping 127.0.0.1 >> nul

 

rem - remove self-signed certificate and verify it is gone (there should be 1 entry after these two steps - uds-ca)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -delete -alias httpssl -keystore "C:\DL\keystore_bes10.jks" -storepass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore "C:\DL\keystore_bes10.jks" -rfc -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - import root and intermediate CAs, then verify they are there  (there should be 3 entries after this step - rootca, intca and uds-ca)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -importcert -noprompt -trustcacerts -alias rootca -keystore "C:\DL\keystore_bes10.jks" -v -file "C:\DL\SSL CAs\GoDaddy\gd-class2-root.crt" -storepass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -importcert -alias intca -keystore "C:\DL\keystore_bes10.jks" -v -file "C:\DL\SSL CAs\GoDaddy\gd_intermediate.crt" -storepass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore "C:\DL\keystore_bes10.jks" -rfc -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - verify we can read the wildcard certificate (there should be 1 entry here)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore "C:\dl\wildcard.pfx" -rfc -storetype pkcs12 -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - import the wildcard certificate and verify we can read it afterwards (there should be 4 entries after this step - rootca, intca, httpssl and uds-ca)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -importkeystore -srckeystore "C:\dl\wildcard.pfx" -destkeystore "C:\DL\keystore_bes10.jks" -srcstoretype "PKCS12" -deststoretype "JKS" -srcstorepass %keystorepassword% -deststorepass %keystorepassword%  -v -srcalias %wildcardalias% -destalias "httpssl" -srckeypass %keystorepassword% -destkeypass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -rfc -keystore "C:\DL\keystore_bes10.jks" -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - stop BES10 UDS Services

net stop /y "BES10 - Administration Console"

net stop /y "BES10 - Scheduler"

net stop /y "BES10 - BlackBerry Web Services"

 

rem - backup the self-signed UDS keystore - do not overwrite the original without prompting, then create a copy to work from

copy "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\ssl\keystore" "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\ssl\keystore_org.back"

copy /y "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\ssl\keystore" "C:\DL\keystore_uds10.jks"

 

rem - verify we can read the self-signed UDS keystore (there should be 2 entries after this step - buds.gui.sslcert and buds.gui.ks.tomcat)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -rfc -keystore "C:\DL\keystore_uds10.jks" -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - remove the self-signed UDS certificates from the keystore and verify they are gone (there should be 0 entries after these two steps)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -delete -alias buds.gui.sslcert -keystore "C:\DL\keystore_uds10.jks" -storepass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -delete -alias buds.gui.ks.tomcat -keystore "C:\DL\keystore_uds10.jks" -storepass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore "C:\DL\keystore_uds10.jks" -rfc -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - import root and intermediate CAs into the UDS keystore, then verify they are there (there should be 2 entries after these two steps - rootca and intca)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -importcert -noprompt -trustcacerts -alias rootca -keystore "C:\DL\keystore_uds10.jks" -v -file "C:\DL\SSL CAs\GoDaddy\gd-class2-root.crt" -storepass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -importcert -alias intca -keystore "C:\DL\keystore_uds10.jks" -v -file "C:\DL\SSL CAs\GoDaddy\gd_intermediate.crt" -storepass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore "C:\DL\keystore_uds10.jks" -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - import the wildcard certificate into the UDS keystore, then verify we can read it afterwards (there should be 3 entries after these two steps - rootca, intca, and buds.gui.ks.tomcat)

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -importkeystore -srckeystore "C:\dl\wildcard.pfx" -destkeystore "C:\DL\keystore_uds10.jks" -srcstoretype "PKCS12" -deststoretype "JKS" -srcstorepass %keystorepassword% -deststorepass %keystorepassword%  -v -srcalias %wildcardalias% -destalias "buds.gui.ks.tomcat" -srckeypass %keystorepassword% -destkeypass %keystorepassword%

"C:\Program Files\Java\jre1.7.0_05\bin\keytool.exe" -list -keystore "C:\DL\keystore_uds10.jks" -storepass %keystorepassword%

ping 127.0.0.1 >> nul

 

rem - replace the self-signed UDS keystore

copy /y "C:\DL\keystore_uds10.jks" "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\RIM.BUDS.Gui\ssl\keystore"

 

rem - remove variables

set keystorepassword=

set wildcardalias=

 

rem - start BES10 UDS Services

net start /y "BES10 - Administration Console"

net start /y "BES10 - Scheduler"

net start /y "BES10 - BlackBerry Web Services"

 

rem - start the “Configuration Tool for BlackBerry Enterprise Service 10” to change the BES10 certificates

@call "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Service 10\ConfigTool\ConfigTool.exe"

exit /b

 

10.) In “Configuration Tool for BlackBerry Enterprise Service 10”, navigate to the Web Keystore tab.

11.) Select the “Import new SSL certificate” radio button.

12.) Enter the %keystorepassword% variable in both the Current Password and the Password boxes.

13.) Enter C:\DL\keystore_bes10.jks in the Location box and click Apply.

14.) Click Ok the Reboot the BES 10.1 when prompted.

15.) Click Ok to close the Configuration Tool for BlackBerry Enterprise Service 10.

16.) Reboot Windows.

17.) After the reboot, log back into Windows and verify all the consoles now use the wildcard SSL certificate.

18.) If everything works ok – remove the VM snapshot you took in step 8.

 

 

Please use plain text.
New Member
poloots
Posts: 1
Registered: ‎08-09-2013
My Device: Z10

Re: HOWTO: Replace self-signed BES 10.1 SSL Certificates with a GoDaddy Wildcard Certificate

Thanks for this - I used it to replace the self-signed cert with one generated from our internal Microsoft Windows CA. I could find no reference to an "alias" proprty on the Microsoft CA cert template. I had to generate an SSL certificate from the CA and followed your steps.

As for the UDS certificate, this was a help: KB31084. it contains some, but not all of your steps (and crucialy not the alias information) from your post.

Gordon

Please use plain text.