2

I'm currently running GITBLIT on Windows Server 2012 to centrally host our GIT repos. I have been using a self-signed cert as per setup instructions on Gitblit but I want to use an SSL Cert from VeriSign or GoDaddy. It appears that there is no documentation or faq on GitBlit to explain how to generate as csr and how where to load the crt when completed.

Are there any GitBlit users that have been able to install a cert from a verified CA?

Edited: The reason I needed the CA cert imported is because TeamCity would error out because of not verified ssl when setting up a git CVS to run build tests.

chrisLawrence
  • 131
  • 4
  • I've actually come across some helpful things with Keytool with generating the csr for the CA and how to import that cert into the keystore file. I will post steps when I've completed successfully. – chrisLawrence Nov 30 '12 at 22:09
  • I have the issue log also at [http://code.google.com/p/gitblit/issues/detail?id=98](http://code.google.com/p/gitblit/issues/detail?id=98) But here is the basic workaround. "I ended up completely abandoning getting the Gitblit CA Cert reply imported and went to the TeamCity server browsed to the https site for my Giblit server exported the cert to a local file. Then I used portecle (very helpful to help understand keystores! thx James) to import the selfsigned cert into the TeamCity's jre cacert. Restarted Web and Build agent services and it connected successfully. " – chrisLawrence Dec 04 '12 at 17:06

1 Answers1

1

I have just gone through the same process as yourself on Windows Server 2008 R2. I wanted a wildcard certificate to work with Gitblit and other services that I wanted to run.

First of all I created the CSR in IIS and installed the certificate into there. I had done this before and was wanting to use the certificate in IIS anyway so this made sense to use IIS for this part of the process. Follow your CA's instructions regarding intermediate certificates as well.

I then had a lot of trial and error to get the next stage to work but got it going by doing the following:

  1. Open MMC
  2. Add Snapin and choose Certificates for Local Computer
  3. Go to Personal, Certificates and select the relevant certificate.
  4. Open the Certificate and click on the Details tab, then click on Copy to File
  5. Click Next, then choose to export the private Key and click Next
  6. Make sure that "Include all certificates in the certification path if possible" is checked and that the other 2 boxes are not. Click on Next.
  7. Enter a password then click Next.
  8. Enter a File Name and click Next then Finish the creation of the file.

I then used Portecle to open the existing Keystore that was created by Gitblit using the password of gitblit (or whatever was set when you created the keystore). To import the certificate click on Tools, Import Key Pair and browse to the file created above. It will ask you to enter the password for the certificate, then to select a key pair to import and an alias for it.

Once that certificate is in the keystore you can remove the self signed certificate as it is not needed anymore.

I then restarted Gitblit and connected with the hostname matching the certificate and everything was good.

The main problem I was having resulted from not including the whole chain when exporting the certificate from IIS.

I hope this helps as it took me a couple of days to figure it out myself.

Simon Dick
  • 31
  • 3