Managing certificates

By default, Black Duck uses an HTTPS connection. The default certificate used to run HTTPS is a self-signed certificate which means that it was created locally and was not signed by a recognized Certificate Authority (CA).

If you use this default certificate, you will need to make a security exception to log in to Black Duck's UI, as your browser does not recognize the issuer of the certificate, so it is not accepted by default.

You will also receive a message regarding the certificate when connecting to the Black Duck server when scanning as the scanner cannot verify the certificate because it is a self-signed and is not issued by a CA.

You can obtain a signed SSL certificate from a Certificate Authority of your choice. To obtain a signed SSL certificate, create a Certificate Signing Request (CSR), which the CA then uses to create a certificate that will identify the server running your Black Duck instance as "secure". After you receive your signed SSL certificate from the CA, you can replace the self-signed certificate.

To create an SSL certificate keystore:

  1. At the command line, to generate your SSL key and a CSR, type:

    openssl genrsa -out <keyfile> <keystrength>

    openssl req -new -key <keyfile> -out <CSRfile>

    where:

    • <keyfile> is <your company’s server name>.key

    • <keystrength> is the size of your site's public encryption key

    • <CSRfile> is <your company’s server name>.csr

    Note: It is important that the name entered for your company’s server be the full hostname that your SSL server will reside on, and that the organization name be identical to what is in the 'whois' record for the domain.

    For example:

    openssl genrsa -out server.company.com.key 1024

    openssl req -new -key server.company.com.key -out server.company.com.csr

    This example creates a CSR for server.company.com to get a certificate from the CA.

  2. Send the CSR to the CA by their preferred method (usually through a web portal).

  3. Indicate that you need a certificate for an Apache web server.

  4. Provide any requested information about your company to the CA. This information must match your domain registry information.

  5. Once you receive your certificate from the CA, use the instructions in the next section to upload the certificate into a Black Duck instance.