So, in summary you need to do the followings:
- Backup BAS keystore
- Delete the default alias from keystore
- Generate a new key in keystore
- Generate CSR
- Submit CSR to your CA
- Import CA(s)
- Import public key for your SSL certificate
Now, I am using Microsoft CA to generate the SSL certificate and my BAS 10 is running on Windows 2008 R2 (x64). All the commands below is using keytool.exe which is located in your JAVA JRE\bin folder.
You need either reset your web keystore password or get the current password from BES10 console- Servers and components - Blackberry Solution Topology - Blackberry Domain - Component View - Blackberry Administration Service. Under Security settings, there is a Default password to encrypt the web.keystore file
Backup BAS keystore
Just take a copy of the following file:
C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore
Delete the default alias from keystore
This will delete the key pair with an alias of httpssl - which is being used by BAS 10
keytool -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore"
This will ask for the keystore password - enter it
Generate aa New Key in Keystore
Replace the -dname with your own value. CN is the FQDN of the SSL to be used
keytool -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -dname "CN=bes.domain.local, OU=IT, O=Laurence Blog, L=Sydney, ST=NSW, C=AU" -keyalg RSA -keysize 2048
Generate CSR
This generates a certreq.csr file which will be used for the next step
keytool -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\certreq.csr" -keyalg RSA -keysize 2048
Submit CSR to your CA
Navigate to your CA using IE browser: https://caserver.domain.local/certsrv
Navigate to Request a certificate
Navigate to Submit a certificate request by using a base-64-encoded CMC or ...
Paste the content of the CSR file to the Saved Request field
Use the default: Web Server template
Submit
Download the certificate
Download all the Root and issuing/intermediate CA as well
Import CA(s)
Import all the CA you have (e.g. root/issuing/intermediate). Make sure you are using a unique alias name for each CA
keytool -import -alias rootca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\rootca.cer"
keytool -import -alias intermediateca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\issuingca.cer"
Import Public Key for SSL Certificate
This imports the certificate from your CA to the keystore
keytool -import -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\public.cer"
Restart the Blackberry Administration Service - Native Code Container
You can also do the same thing for the Blackberry Management Studio (*Fusion) using the same steps above
.
The keystore location is:
C:\Program Files (x86)\Research In Motion\BlackBerry Management Studio\BlackBerryMobileFusion.keystore
The keypair name is: fusionssl