Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager

When you install the BlackBerry Administration Service and BlackBerry Web Desktop Manager, the setup application generates an SSL certificate to protect the HTTPS connection. You can import a self-signed SSL certificate or a trusted certificate that a certification authority signs after the installation process completes. If you configure a BlackBerry Administration Service pool, you must generate an SSL certificate that uses the name of the BlackBerry Administration Service pool.

For more information about using the keytool, visit java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html.

Before you begin: If you want to use a trusted certificate, copy the root certificate of the certification authority to the computer that hosts the BlackBerry Administration Service.
  1. On a computer that hosts a BlackBerry Administration Service instance, in <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore, back up the web.keystore file.
  2. Using the keytool in <drive>:\Program Files\Java\<JRE_version>\bin, delete the default SSL certificate that the setup application generated (for example, keytool -delete -alias httpssl -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore").
  3. Using the keytool and the SSL password that you specified when you installed the BlackBerry Administration Service, generate a new entry and private key in the web.keystore file (for example, keytool -genkey -alias httpssl -keypass <password> -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"). When the keytool prompts you for the first name and last name, type the pool name of the BlackBerry Administration Service. You can find the pool name in the Administration Service – High Availability tab.
  4. If you want to use a trusted certificate, using the keytool, import the root certificate of the certification authority (for example, keytool -import -alias <ca_alias_name> -file <root_certificate_file>.cer -trustcacerts -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore").
  5. Using the keytool, generate a certificate signing request (for example, keytool -certreq -alias httpssl -file <certreq_filename>.csr -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore").
  6. Send the certificate signing request to a certification authority so that the certification authority can create the certificate.
  7. When the certification authority returns the certificate, copy it into a text file and save it with a .cer extension.
  8. Using the keytool, import the certificate to the web.keystore file (for example, keytool -import -alias httpssl -keystore "<drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -file "<certificate_filename>.cer").
  9. In the Windows Services, restart the BlackBerry Administration Service services.
  10. Complete the following actions on each computer that hosts a BlackBerry Administration Service instance:
    1. Copy the web.keystore file in the <drive>:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin folder from the BlackBerry Administration Service that you updated to the other BlackBerry Administration Service instances.
    2. In the Windows registry, copy the WebKeyStorePass value in the HKEY_CURRENT_USER\Software\Research In Motion\BlackBerry Enterprise Server\Administration Service\Key Store from the BlackBerry Administration Service that you updated to the other BlackBerry Administration Service instances.
    3. In the Windows Services, restart the BlackBerry Administration Service services.
Last updated: 2012-09-17
©2012 Research In Motion Limited. All Rights Reserved.