Simplest Enterprise Continuous Integration Solutions

Saturday, July 20, 2013

Enterprise Linux: Subversion Edge + own SSL Certificate

By default, Subversion Edge has self-signed certificate

Subversion Edge out of the box comes with the Apache Subversion Server https configuration, simply by selecting the check box "Apache Encryption" for "Subversion Server should serve via https." from CSVN Console Administration tab, installs an initial self-signed certificate provided with Subversion Edge.



Because above Subversion Edge self-signed certificate hostname, svnedge.collab.net, is always different from your svn repository server hostname (for instance, linux64-svn-server). In this way, your imported Java keystore always contains wrong hostname about your svn reposiotory server hostname.

Procedures to use own SSL certificate

# Backup existing "server.key", "server.crt" and "svnedge.jks"

By default, those files are located as below:
/opt/csvn/data/conf/server.key
/opt/csvn/data/conf/server.crt
/opt/csvn/appserver/etc/svnedge.jks

# Make sure openssl and openssl-devel RPMs installed 

# Generate a private key

[root@linux64-svn-server ~]# cd /opt/csvn/data/conf
[root@linux64-svn-server conf]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...............++++++
................++++++
e is 65537 (0x10001) 

# Generate a CSR (Certificate Signing Request)

[root@linux64-svn-server conf]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:<my_country>
State or Province Name (full name) [Berkshire]:<my_state>
Locality Name (eg, city) [Newbury]:<my_city>
Organization Name (eg, company) [My Company Ltd]:<my_org>
Organizational Unit Name (eg, section) []:<my_unit>
Common Name (eg, your name or your server's hostname) []:linux64-svn-server.domain.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# check server.csr 

[root@linux64-svn-server conf]# openssl req -noout -text -in server.csr 

# Remove Passphrase from key

[root@linux64-svn-server conf]# cp server.key server.key.org
[root@linux64-svn-server conf]# openssl rsa -in server.key.org -out server.key
writing RSA key 

# Generate a Self-Signed Certificate

[root@linux64-svn-server conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Or

# Submit server.csr to a certificate authority

Submit the generated server.csr to a Certificate Authority (for example, MY-ENTCASERVER) with “Web Server” Certificate template and download certificate in Base64 format, save it as server.crt.

# Check server.crt

[root@linux64-svn-server conf]# openssl x509 -in server.crt -text -noout 

# Convert the Apache certificate into PKCS#12 format

[root@linux64-svn-server conf]# openssl pkcs12 -export -in /opt/csvn/data/conf/server.crt -inkey /opt/csvn/data/conf/server.key -name svnedge –out /opt/csvn/data/conf/server.p12
Enter Export Password:
Verifying - Enter Export Password:

# Check server.p12

[root@linux64-svn-server conf]# openssl pkcs12 -info -in server.p12 

# Create the java keystore to store the certificate

[root@linux64-svn-server conf]# $JAVA_HOME/bin/keytool -importkeystore -srckeystore /opt/csvn/data/conf/server.p12 -srcstoretype PKCS12 -destkeystore /opt/csvn/data/conf/svnedge.jks
Enter destination keystore password:
Enter source keystore password:
Entry for alias svnedge successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

# Copy java keystore int INSTALL)DIR/appserver/etc

[root@linux64-svn-server conf]# cp /opt/csvn/data/conf/svnedge.jks /opt/csvn/appserver/etc/

# Restart csvn console 

[root@linux64-svn-server conf]# service csvn restart

# Subversion Edge own SSL Certificate

get own SSL certificate from https://linux64-svn-server.domain.com:4434/csvn as below


No comments:

Post a Comment