2.) add a signed SSL certificate to BAS

This step is optional.

If you install BES 5.0.x for the first time, it will create a self signed SSL certificate for you. Self signed certificates often produce issues, because they aren´t trusted by the browser on the user pc and in the end, your helpdesk is dealing with a wide range of issues which are caused by such a certificate. So a good idea is to install a signed certificate (from Verisign, Comodo, Thawte, ... or your own CA). This section will help you to create such a certificate.

 

2a.)

At first we will rename the existing key store so that we have a backup (from the original one) if needed.

Go to c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\ and rename web.keystore to web.keystore.old

 

2b.)

You now need to add the new keystore password your your keyOpen the BlackBerry Server Configuration (Note: this is normally installed on your BlackBerry server). Switch to "Administration Service - Cacert keystore". If you never changed the SSL config the current password is greyed out and you need to enter only the new password in both fields. Please keep that new password on a save place, you will need it in later steps and if you wish to renew that certificate!

 

2c.)

Open a CMD and navigate to c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\ and run the following command:

webGenKey.bat "C:\Program Files\Java\jre6" "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" <your password> <BB FQND>

For example:

webGenKey.bat "C:\Program Files\Java\jre6" "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS" asd3563sad blackberry01.mycompany.com

After that please verify that you have a new web.keystore in c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\

 

2d.)

We use a comodo certificate in that example, so we will import the comodo trusted certs (I saved them to C:\00install) in our keyring. If you use another certificate authority (for example your own) you need to add that root into your keyring.

Perform the following steps:

keytool -import -alias COMODOHigh-AssuranceSecureServerCA -file c:\00install\COMODOHigh-AssuranceSecureServerCA(base64).cer -trustcacerts -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

keytool -import -alias COMODOAddTrustExternalCARoot -file c:\00install\AddTrustExternalCARoot(base64).cer -trustcacerts -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2e.)

Now we will delete the private key which was autom. created by the BES environment, so that we can create a new one in a later step. Use the following command for that

keytool -delete -alias httpssl -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2f.)

Now create a new certificate with the following command:

keytool -genkey -alias httpssl -keyalg RSA -keysize 2048 -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

Please note that the keytool will ask you for a "first and last name" this is the FQND from your blackberry server. In our example we will add "blackberry01.mycompany.com" to it.

Example:

What is your first and last name?
[Unknown]:
blackberry01.mycompany.com
What is the name of your organizational unit?
[Unknown]:  IT
What is the name of your organization?
[Unknown]:  Wieczorek inc.
What is the name of your City or Locality?
[Unknown]:  Dortmund
What is the name of your State or Province?
[Unknown]:  Nordrhein-Westfalen
What is the two-letter country code for this unit?
[Unknown]:  DE
Is CN=
blackberry01.mycompany.com, OU=IT, O=Wieczorek inc., L=Dortmund, ST=Nordrhein-Westfalen, C=DE correct?

 

2g.)

In the last step we need to generate a certification request which can be signed by the certification authority (CA). Run the following command for that

keytool -certreq -keyalg RSA -alias httpssl -file C:\00Install\my_new_bas_certificate_request.csr -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore"

 

2h.)

Now you need to let the certification authority (CA) sign your certificate (included in the csr file). Please note that if you can choose the certification type you should choose Tomcat.

2i.)

When you got your signed certificate back, save it on the BlackBerry server. You need to add it now to the keystore via:

keytool -import -alias httpssl -keystore "c:\Program Files\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -trustcacerts -file C:\00Install\my_signed_certificate.cer

 

2j.)

The last step is now to restart the BAS services:

BlackBerry Administration Service - Application Server

BlackBerry Administration Service - Native Code Container

After some minutes you should be able to access your BES webadmin and the BlackBerry Web Desktop Manager again.

 

Troubleshooting:

A.) If the BES webadmin and the BlackBerry Web Desktop manager aren´t working after the restart from the services please open the taskmanager and check if the BAS-AS.exe and BAS-NC.exe are taking more then 12-15MB (on the most environments they use arround 500 and 80 MB). If that is the case open regedit and go to HKCU\software\Research in Motion\Blackberry Enterprise Server\Administration Service\Key Store. And copy the value from WebKEyStore to Cacerts and added CacertsKeyStorePassIsEncrypted REG_SZ 1 (if it isn´t already on 1). Please make a copy from the old values, so that you can put them back if that didn´t solve the issue. After changing the regestry save it and restart the services from 2j.

B.) Do not try to use different passwords here. This will not work!

 

Further information:

Import a new SSL certificate for the BlackBerry Administration Service and BlackBerry Web Desktop Manager