Search code examples
ssljenkinscertificatekeytoolmmc

Jenkins SSL certificate from Windows AD CS


I am trying to configure Jenkins on Windows with a SLL certificate following these instructions. Instead of using a Digicert certificate, our IT administrator would like to generate a certificate using the Windows AD CS using the certificate snap-in of mmc. However we cannot figure out how to import the keytool generated csr certificate request into the certificate snap-in. If I use a certificate with a recreated certificate request in the mmc certificate store, the certificate is rejected with the following message:

keytool -importcert -alias jenkins -file "D:\Temp\jenkins\jenkins.pem" -keystore "D:\Temp\jenkins\jenkins.jks"
Enter keystore password:
keytool error: java.lang.Exception: Certificate reply does not contain public key for <jenkins>

Does anyone know how to create an SSL certificate from the Windows certificate store based on a java keytool created csr certificate request?


Solution

  • I was able to get Jenkins running with SSL and this is what I did.

    On the Jenkins Master

    1. In the Certificate Snap-in of mmc, navigate to Certificates (Local Computer) / Personal.

    2. Right click Personal Folder and select All Tasks / Request New Certificate...

    3. Confirm the next two Enrollment pages by clicking on Next.

    4. Check a Webserver Active Directory Enrollment Policy.

    5. A Warning Message shows below the Enrollment Policy

      More information is required to enroll for this certificate. Click here to configure settings.

      Click on it.

    6. Fill out the Certificate Properties:
      Subject name: Common name: [the name of your jenkins server]
      Alternative name: DNS: [the name of your jenkins server]
      Alternative name: DNS: [the full name of your jenkins server including your domain]
      Confirm the page with OK and the following two pages.

    7. Export the Certificate as PFX format
      Right click on certificate
      All Tasks / Export...

    8. Check: Yes, export the private key
      Check Include all certificates in the certification path if possible
      Check: Export all extended properties
      Since we are exporting the private key, we must provide a password
      Check: Password and enter your password and password confirmation

    9. Pick a path for your PFX certificate and finish the export.

    10. Export the certificate one more time without a password in the Base-64 encoded X.509 (.CER) format.
    11. Rename the resulting .CER file into .PEM.

    12. Create a java key store on the Jenkins server with

      keytool -genkeypair -keysize 2048 -keyalg RSA -alias jenkins -keystore jenkins.jks
      
    13. Answer the questions appropriate for your company and organisation.

    14. Import the PFX certificate into the java keystore with

      keytool -importkeystore -srckeystore jenkins.pfx -srcstoretype pkcs12 -destkeystore jenkins.jks -deststoretype JKS
      
    15. Copy the jenkins.jks to secrets directory where Jenkins is installed (in my case C:\Program Files (x86)\Jenkins\secrets).

    16. Add the certificate to the Jenkins startup parameters:

       -Djavax.net.ssl.trustStore=%JENKINS_HOME%\secrets\jenkins.jks
       -Djavax.net.ssl.trustStorePassword=[your password for the java key store]
      
    17. Restart the jenkins service

    On the Jenkins Agent

    1. Import the PEM certificate from above into the java keystore from the command line with administrator priviliges:

      keytool -import -alias jenkins -keystore "C:\Program Files (x86)\Java\jre1.8.0_161\lib\security\cacerts" -file [your pem file]
      

      Enter the password of the keystore (by default changeit)
      Trust this certificate? [no]: yes

    2. Make sure your jenkins-slave.xml in %JENKINS_HOME% does not contain -noCheckCertificate in the arguments.

    3. Restart the service jenkinsslave-D__Jenkins.