GitBlit: How to get a real cert imported to your keystore

Over the past several months I have really taken a liking to using git for my iOS projects, just because it feels like version control done right.  One of the problems that I do have with git is that it, in and of itself, has no user authentication.  No bueno.  A friend recommended to me an open source project, GitBlit, that provides an HTTP front end for git repositories and user management. 

One of the problems, however, is that GitBlit creates a self-signed cert for SSL access. This is problematic, as well, because command-line git doesn't like self-signed certs without explicitly telling it to ignore the unverified nature of the cert. This is not good, either.

This tutorial will walk you through how to setup GitBlit with a properly signed cert so that you can feel better about trusting the repository you're connecting to.

First off, you'll need to get a valid signed cert and private key. I use StartSSL which issues free, valid SSL certs. Once you have the private key, you'll need to create a Java keystore in which the private key will reside. I used KeyMan, a Java utility written by IBM, to create the keystore from the private SSL key.

In KeyMan, create a new KeyStore Token (password protected). Next, import your private key (File->Import). KeyMan will ask for the password on the private key in order to read it. Next, save the keystore by going to File->Save. KeyMan will prompt you for a password on the saved keystore. When prompted for the location of the keystore, make sure to save it in the root directory of your GitBlit installation with the name 'keystore'.

Close out of KeyMan and open the file. Look for the 'server.storePassword' key in the file and set the password you created for your keystore. Save the properties file and start GitBlit. You should now be able to connect to your GitBlit repositories without getting any SSL warnings!

If you want to do this via the command line, it's as easy as using the JRE keytool utility:

keytool.exe -importkeystore -srckeystore <PATH TO PRIVATE KEY> -destkeystore  <PATH TO KEYSTORE> -srcstoretype pkcs12 -deststoretype JKS
Posted on Jun 2
Written by Wayne Hartman