Tag Archives: bes

How to change the SSL certificate for BlackBerry Enterprise Express Server

Recently I found myself once again face to face with my oldest arch rival….BlackBerry.  Yes, this foe and I have been in disagreement for years now.  Dealing with her secret menu’s, unheard of limitations, lack of technological advancement, and of course, the disregard of dismissing what IT admins need out of this software in order to be succesful.  I have claimed victory and defeat when it comes to BES, but this time I was faced with something new, something different.  Here is some background.

When installing the BES Express software, there are two administration web sites that are created along with the adminstrators web page.  These web sites are created during the install and a self assigned certificate is installed as well in order for the SSL to work.  During the installation, there is a NO information telling you this, nor does it allow you to install your own SSL certificate.  All it gives you is the chance to create a password for your SSL certificate, but it says nothing about that this is the password you are going to use for the KEYSTORE.  Yes, this is not IIS or Java stuff, but this is kind of like TomCat, some Unix type stuff.  It is important that you know this password in order to change the SSL certificate later as I will explain in the step by steps.

 Step 17 installation

So what I have done is created a step by step process on how to remove the self assigned certificate that is installed during the installation.  Changing the SSL certificate is no easy task and I am sure it will be different for everyone, but this is a good start, plus I didn’t find anything on the web explaining how to do this.  I had to figure it out on my own.  Ready?  Here we go.

Backup the Keystore first:

1.  browse to “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore”

2.  copy the file web.keystore

3.  paste it and rename it to web.keystore.OLD

Delete the SSL certificate that was installed with BES Express

1.  Open CMD.exe

2.  Change directory to “C:\Program Files (x86)\Java\jre1.6.0_18\bin”

3.  Run this command keytool -delete -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore”

4.  Enter password for Keystore.

Generate the BlackBerry Admin Service certificate key pair

1.  Open CMD.exe

2.  Change directory to “C:\Program Files (x86)\Java\jre1.6.0_18\bin”

3.  Run this command keytool -genkey -alias httpssl -keystore “C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore” -storepass “password” -keyalg RSA -keysize 2048 -dname “cn=FQDN OF SERVER,ou=BES,o=RIM,c=CA”

4.  Enter password for keystore. *Verify that there is no spaces in the -dname switch inside the quotes

Generate a certificate request to the certification authority

1.  Open CMD.exe

2.  Change directory to “C:\Program Files (x86)\Java\jre1.6.0_18\bin”

3.  Run this command keytool -certreq -alias httpssl -keystore “c:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\bas\bin\web.keystore” -file cert.req -keyalg RSA -keysize 2048

Request the certificate for your (CA) certificate authority or 3rd party certificate authority

1.  Request the certificate, make sure to save your certificate as CERTIFICATE.CER

2.  Find where the the certificate is located, then double click on the certificate.

3.  Click the tab “DETAILS” then click “COPY TO FILE..” located at the bottom of the window.

Push the Copy to File button

4.  Click NEXT

5.  For the Export file format select:  Crytographic Message Syntax Standard – PKCS #7 Certificates (.P7B) and make sure the check box is checked “Include all certificates in the certification path if possible”.

6.  Choose a file path, make sure to place the file in “C:\Program Files (x86)\Java\jre1.6.0_18\bin”

7.  Click Finish

Import the CA certificate into the BlackBerry Administration Service key store

1.  Open CMD.exe

2.  Change directory to “C:\Program Files (x86)\Java\jre1.6.0_18\bin”

3.  Run this command  keytool -import -alias httpssl -keystore “c:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore” -file filename.p7b

4.  Type YES to accept your certifcate.

Restart the BlackBerry Administration Service

1.  You can either just restart your BES server or just stop the administration service.

That should do it.  If you did all this correctly, then when you browse to the BES websites, the SSL certificate in the browser should show the one you installed instead of the one that reads as an error on all browsers.  you know the kind, the one that says the site is dangrous an tries to scare people away.  I never agreed to that.  BlackBerry’s software is a lot like this kid running down these stairs, just one big FAIL.  Comment if you want, if you dont its okay, its only BES.

forgifs.com