BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 10-02-2008, 01:29 PM   #1 (permalink)
New Member
 
Join Date: Oct 2008
Model: Curve
PIN: N/A
Carrier: Verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Unhappy Nondefault SSL Certificate Installation on BB Administration Service

Please Login to Remove!

I am trying to install a new SSL certificate from a certificate authority into my Blackberry Administration Service. I am using the "Blackberry Web Desktop Manager for Microsoft Exchange Installation and Administration Guide", but I am not having any luck.

According to the guide, the certificate is installed into the lib\security folder of the java version used for the service. In my case this is jre1.5.0_09. However, when I try to install the certificate here, it appears to work, but then when you hit the website it still shows the old certificate info.

I have tracked down the location of the certificate that was created during install, and it is in c:\program files\research in motion\Blackberry Administration Service\bin folder. There are 2 files in this directory named web.keystore, and bas.keystore. If I import the new SSL certificate into the web.keystore file, the site stops working. It just sits, and does not connect - never giving an error.

I am really at wits end with this. I have spent two full days messing around with this, and I haven't really gotten anywhere. Any help would be greatly appreciated (especially by someone who has got this to work).

-Jim

Last edited by jim.kramer : 10-03-2008 at 08:58 AM.
Offline  
Old 10-03-2008, 08:57 AM   #2 (permalink)
New Member
 
Join Date: Oct 2008
Model: Curve
PIN: N/A
Carrier: Verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

it appears that somehow I ended up with an outdated copy of the administrators guide. In any case, I have since downloaded the revised version, which addresses many of the issues I noted in the original post. However, it appears that even the updated document is not without error.

In step 3 on Page 27, the document says to use the keytool to generate a new web.keystore file, and private key. However, the example command line for doing that seems to be incorrect. It says:

keytool -genkey -alias <alias_name> -keypass <password> -keystore "<drive> :\Program Files\Research In Motion
\BlackBerry Administration Service\bin"

this does not work -at least did not for me. I believe the correct syntax is:

keytool -genkey -alias <alias_name> -keypass <password> -keystore "<drive> :\Program Files\Research In Motion
\BlackBerry Administration Service\bin\web.keystore"

however, it should be noted that even the revised command will not work if you do not delete the old web.keystore first - which is not mentioned in the document (it only says to make a backup).

SO, I did get a new certificate signing request generated, and I was able to install the new .cer from the CA. HOWEVER - it still is acting oddly. When I view the certificate within IE, it is not the right one. It appears to be a locally generated certificate that expires in less than a year. I don't get this...

If I do a "keytool -list "<drive> :\Program Files\Research In Motion
\BlackBerry Administration Service\bin\web.keystore" the keys appear to be there... but something is wrong with them.

It seems as though the 'revised' procedure for doing this still has problems. I have now paid for TWO certificates, and both appear to be USELESS.

Last edited by jim.kramer : 10-03-2008 at 08:58 AM. Reason: sp
Offline  
Old 10-23-2008, 08:58 AM   #3 (permalink)
New Member
 
Join Date: Oct 2008
Model: 9700
PIN: N/A
Carrier: MyOwn
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Talking I got it working

After messing about with this for the last couple of days i now have a working certificate installed, i have modified RIM's administrator guide to how i believe it should be and certainly how i got mine working, hope this helps someone:

Import a nondefault SSL certificate after the BlackBerry Administration Service installation

When you install the BlackBerry® Administration Service, the setup application generates a default SSL certificate to secure
the HTTPS connection. If you prefer, you can import a self-signed SSL certificate or a signed root certificate that is signed
by a different certificate authority after the installation process completes.

1. On the computer that hosts the BlackBerry Administration Service, in <drive>:\Program Files\Research In Motion
\BlackBerry Administration Service\bin, back up the web.keystore file.
2. For security, update the key store password by performing the following actions:
a. On the Start menu, click Run.
b. Type regedit.
c. Navigate to HKEY_CURRENT_USER\SOFTWARE\Research In Motion\BlackBerry Administration Service\Key
Store.
d. Update the WebKeyStorePass string with a key store password that meets the security requirements of your
organization.
3. Using the keytool* in <drive>:\Program Files\Java\<JRE_version>\bin and the password that you updated in step 2,
generate a new private key.

*For Keytool notes see the bottom of this article

keytool -genkey -alias <alias> -keypass <password> -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Administration Service\bin\web.keystore"

When running the above you will be asked a series of questions which will make up the subject of your certificate, the key entry is below:

What is your First name and Last name: "This field is the one which will identify the CN in the subject for your cetificate so for example if you are attempting to secure server1.domain.com you would enter server1.domain.com in this field."

4. Using the keytool, generate a certificate signing request.

keytool -certreq -alias <alias> -file <drive>:\<CSR name>.csr -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Administration Service\bin\web.keystore"

5. Send the certificate signing request to a certificate authority so that the certificate authority can create the certificate.

6. When the certificate is returned, copy it into a text file and save it with a .cer extension.

7. Using the keytool, import the certificate authority root certificate and any intermediate certificates to the web.keystore file using a seperate alias for each:

keytool -import -alias <alias> -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Administration Service\bin\web.keystore" -file "<drive>:\<certificatename>.cer"

8. Using the keytool, import the certificate returned from your CSR and import it to the web.keystore file using the alias created in step 3.

keytool -import -alias <alias> -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Administration Service\bin\web.keystore" -file "<drive>:\<certificatename>.cer"

Keytool Notes:

alias refers to the entry within the keystore and can be called anything as long as you remember which certificate is stored within the alias. It is reccomended to use the FQDN of the certificate you are importing.

Which type of import is intended is indicated by the value of the -alias option:

If the alias points to a key entry, then keytool assumes you are importing a certificate reply. keytool checks whether the public key in the certificate reply matches the public key stored with the alias, and exits if they are different.

If the alias does not point to a key entry, then keytool assumes you are adding a trusted certificate entry. In this case, the alias should not already exist in the keystore. If the alias does already exist, then keytool outputs an error, since there is already a trusted certificate for that alias, and does not import the certificate. If the alias does not exist in the keystore, keytool creates a trusted certificate entry with the specified alias and associates it with the imported certificate
Offline  
Old 12-01-2008, 05:19 AM   #4 (permalink)
Knows Where the Search Button Is
 
Join Date: Sep 2007
Location: Dubai
Model: 9000
OS: 4.6.0.247
PIN: 255BB662
Carrier: Etisalat
Posts: 20
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi Guys,

Great tips.
wanted to try this but got just one stupid question,
Can the blackberry Administration service be hosted on the Blackberry server itself or does it have to be a dedicated machine ?

Thanks,
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright © 2004-2014 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.