Creating the DevOps Plan REST API SSL Certificate

DevOps Plan uses SSL to secure access to its user interface and REST APIs. A self signed certificate is provided out of the box, but some proxies and gateways will accept self-signed certificates.

About this task

By default, the DevOps Plan REST API Server ships with a self-signed SSL certificate. To maintain security, you must obtain and install your own SSL certificate for the machine that the REST API Server is running on. You must have the following:
  • SSL certificate in .p12 (PKCS12) format. For example, c:\cert\mycertstore.p12 must be on your local disk.
  • SSL certificate alias. For example, apiserver.
  • SSL certificate password. For example, mypass.

To create and install an SSL certificate, you will OpenSSL.

Procedure

  1. Create a folder and open a command prompt or terminal.
  2. If you do not already have a root certificate from a root certificate authority, create one. Create a root certificate authority and then self-sign it. 
    openssl genrsa -out devopsplanRootCA.key 2048 
openssl req -x509 -new -nodes -key devopsplanRootCA.key -sha256 -days 1024 -out devopsplanRootCA.crt
  3. Import the root certificate into your browser or your operating system trust store. If you plan to use a proxy or a gateway, the computer that runs the proxy or gateway requires your root certificate to be installed.
    Your DevOps Plan server needs its own certificate. Use the servers fully qualified domain name.
    openssl genrsa -out YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key 2048
  4. Create a certificate signing request. When prompted for the Common Name, supply the fully qualified domain name. 
    openssl req -new -key YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key -out YOUR.FULLY.QUALIFIED.DOMAIN.NAME.csr
  5. Generate the certificate using the certificate signing request and key, along with the certificate authority root key that you created in step 2. 
    openssl x509 -req -in YOUR.FULLY.QUALIFIED.DOMAIN.NAME.csr -CA 
devopsplanRootCA.crt -CAkey devopsplanRootCA.key -CAcreateserial -out 
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.crt -days 500 -sha256 -extfile 
openssl.ext
    You must supply a configuration file. The file should include the following:
    authorityKeyIdentifier=keyid,issuer 
basicConstraints=CA:FALSE 
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment 
subjectAltName = @alt_names 
  
[alt_names] 
DNS.1 = YOUR.FULLY.QUALIFIED.DOMAIN.NAME
  6. Convert your crt/key to .p12 for Java. Remember the export password that you choose, you will need it when you configure DevOps Plan. 
    openssl pkcs12 -export -out keystore.p12 -inkey 
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.key -in 
YOUR.FULLY.QUALIFIED.DOMAIN.NAME.crt -certfile devopsplanRootCA.crt
  7. To run DevOps Plan with a custom SSL certificate, import the devopsplanRootCA.key file into the browser.