Skip to main content

Generating and Implementing a Self-signed Certificate

Use this procedure to generate a self-signed certificate.

To generate your own self-signed certificate with a keystore in place of a purchased one, do the following:

  1. Execute the following command found in the JDK:

    • keytool -genkey -keyalg RSA -sigalg SHA256withRSA -alias "<keyAlias>" -keystore<keystoreFile>-storepass "<keypass>" -validity<numDays>-keysize 2048 -ext san=<ip:ipAddress,dns:domainName...>

    • Provide the following values in the command:

    • keyAlias—The alias for the certificate entry in the keystore

    • keystoreFile—The file name of the keystore containing the certificate

    • keyPass—The password for the certificate entry

    • ip:ipAddress,dns:domainName...—One or more values specified for the san (subject alternative name) parameter, each value indicating an IP address or domain name (hostname) secured by the certificate.

    • Enter as many values as needed, separating each with a comma, to ensure that a given domain can be accessed during SSL communication. (For example, you might want to enter both the IP address and domain name for the instance containing a Scan Server to ensure that the instance can be accessed by whichever identifier is used during communication.) Enter each IP address in the format ip:ipAddress and each domain name in the format dns:domainName. The following shows an example san parameter:

    • -ext san=ip:93.184.222.33,dns:localhost

  2. Enter the server's hostname or IP address when prompted, What is your first and last name?

  3. Leave the remainder of the prompts blank, except for the last one:

    Is CN=<yourServerNameOrIPAddress>, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
    • For this prompt, type yes.

  4. Export the certificate from the keystore and import it into cacerts, located in <CODEINSIGHT_ROOT_DIR>\jre\lib\security. To do so, run the following commands in the order shown.

    • keytool -export -alias "<keyAlias>" -file<file>.crt -keystore<file>.jks

    • keytool -delete -alias "<keyAlias>" -keystore cacerts

    • keytool -import -alias "<keyAlias>" -keystore cacerts -file<file>.crt

  5. Copy the generated keystore to <CODEINSIGHT_ROOT_DIR>\tomcat.

  6. Follow the procedure in Enabling an HTTPS Connection to complete the configuration steps that enable HTTPS on the instance running Code Insight.

    • If a self-signed certificate is used on the Code Insight server, each client instance that is used to access Code Insight should add a certificate exception to the browser.

Example: Generating and Implementing a Self-signed Certificate

The following example demonstrates how to generate and store a self-signed certificate for use by Code Insight. The example assumes that Code Insight is installed on the C drive; and, for simplicity, it uses the name “codeinsight” to identify the keystore, alias, and password.

  1. Create a working folder in which to generate a keystore and a self-signed certificate. This example uses the folder mywork on the C drive.

  2. From a command line, navigate to the working folder: cd C:\mywork

  3. Run the following command, which generates a keystore (codeinsight.jks) and a self-signed certificate and then imports the certificate into the keystore. The certificate is generated with the name of the keystore (codeinsight.crt). keytool -genkey -keyalg RSA -sigalg SHA256withRSA -alias codeinsight -keystore codeinsight.jks -storepass codeinsight -validity 3600 -keysize 2048

  4. Import the new certificate into cacerts by running the following commands in the order shown. These commands will export the newly generated certificate from the keystore to the mywork folder, delete any existing “codeinsight” certificate in cacerts, and then import the certificate into cacerts.

    • keytool -export -alias codeinsight -file codeinsight.crt -keystore codeinsight.jks

    • keytool -delete -alias codeinsight -keystore C:\CodeInsight\jre\lib\security\cacerts

    • keytool -import -alias codeinsight -keystore C:\CodeInsight\jre\lib\security\cacerts -file C:\mywork\codeinsight.crt

    • To ensure that the certificate has been imported into cacerts, run the following command, which outputs a list of certificates stored in cacerts. The list should include codeinsight.crt.

    • keytool -v -list -keystore C:\CodeInsight\jre\lib\security\cacerts -alias codeinsight

  5. Copy the keystore created in Step 3 to Tomcat: copy c:\mywork\codeinsight.jks C:\CodeInsight\tomcat\

  6. In catalina.bat, make the following changes, and then save the file:

    -Dcodeinsight.ssl=true

  7. Replace tomcat\conf\server.xml with the server.xml in tomcat\https, and then make the changes to the replacement server.xml as described in Enabling an HTTPS Connection. Save the file.

  8. Restart Tomcat. For more information, see Starting and Stopping Tomcat.

  9. In a browser, open Code Insight using the HTTPS protocol: https://&lt;hostname&gt;:8888/codeinsight

  10. To enable HTTPS communications between the Core Server and a Scan Server, perform these steps:

  11. On the Code Insight Dashboard, click administration. The Administration page appears with a list of side tabs.

  12. From the Administration page, select the Scan Servers tab.

  13. Add a new Scan Server, or select a Scan Server to edit.

  14. In the Host field, enter the hostname for the Scan Server.

  15. In the Port field, enter the HTTPS port for the Scan Server.

    note

    You might need to accept browser warnings the first time that the application comes up; these messages should go away after the initial session.


    `https://<hostname>:8888/codeinsight`