This short tutorial covers the very undocumented problem of installing Certificate Authority signed certificates in GitBlit.
We took as example StartSSL beacause offers verified wildcard SSL certificates for FREE that are certainly the best
solution for your small company private git service!
First of all you need to register on StartSSL at the address https://www.startssl.com/ for a free certificate.
I’ll not cover this steps that you solve in a bunch of easy clicks.
Sometimes the service is too busy and doesn’t let you register.If you need a more affordable service you can google for it and you’ll find easily this kind of service for less than 50$ , here you’ll find some of them here.
Whether you’ll be so lucky to proceed with StartSSL or you’ll find another service right for your needs,
after some steps you’ll obtain a private key, this is the starting point.
Once you download your private key is encrypted ( if you cat the .key file in the header you’ll read Proc-Type: 4,ENCRYPTED) this should be a problem when you deal with java then let’s go to decrypt it.
To do this open up your dusty console and type inside that:
openssl rsa -in your.private.key -out unencrypted.key
NOTE: provide to keep in a safe place your unencrypted private key, once some can read it say goodbye to your encryption desires!
Now is the moment to issue a Certificate Sign Request, with this intermediate step, you’ll ask to your Certificate Authority to produce a valid certificate for your server.
Type this command in your console:
openssl req -out yourcsr.csr -key unencrypted.key -new
If everything goes well the console will ask you some personal info, is important to fill up all the form , but the most important field is the Common Name , in this field you have to put the hostname that will be served by this certificate (eg. if your website is http://somehost.somedomain.com put here somehost.somedomain.com).
complete the form and go back to your prompt.
Now print the content of yourcsr.csr copy from the console the content and paste it in your CA webpage (yeah a big white text box is waiting for your CSR and after some computing you’ll download the certificate.
With your private key and your certificate now we’ll do the magic open up the console and tap inside:
openssl pkcs12 -inkey unencrypted.key -in yourhostcertificate.crt -export -out yourkeystore.p12 keytool -importkeystore -srckeystore yourkeystore.p12 -srcstoretype pkcs12 -destkeystore serverKeyStore.jks
NOTE: if you don’t set as keystore password the default “gitblit” you have to change it in /yourgitblitpath/data/gitblit.properties -> server.storePassword =
Now you have all you need except the alias of your certificate inside the keystore, this is important because GitBlit, once your keystore is uncrypted, needs to know which certificates needs to pick, have a look at the keystore with:
keytool -list -keystore serverKeyStore,jks
If everything is gone well you’ll have something like this:
Tipo keystore: JKS Provider keystore: SUN Il keystore contiene 1 voce thisisthealiasyourlookingfor, 20-nov-2013, PrivateKeyEntry, Impronta digitale certificato (SHA1): xx:xx:xx:xx:xx:xx:xx
where you read thisisthealiasyourlookingfor you’ll find the alias!Copy and past the alias in /yourgitblitpath/data/gitblit.properties -> server.certificateAlias.
The last step is to overwrite the default serverKeystore,jks in /yourgitblitpath/data/ with your brand new one and restart the server.