Problem: You replaced the default SSL certificate with one which is signed by a root CA. Now the certificate expired and you need to replace it.
Solution:
If you havenĀ“t changed the password from the keystore it would be “changeit”. Otherwiese replace it in the code below.
1.) Change to the Java folder
cd "C:\Program Files (x86)\Java\jre1.7.0_51"
2.) Now we need to remove the old expired certificate via:
keytool -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -storepass "changeit"
3.) After the deleting from the old key, you need to generate a new one via:
keytool -genkey -alias httpssl -keyalg RSA -keysize 2048 -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -storepass "changeit"
The tool will then promp you for some information. Important here is that the first and lastname will be the FQDN from the server.
4.) After that you need to generate a sign request which will be submitted to the enterprise CA. The export is done via:
keytool -certreq -keyalg RSA -alias httpssl -file C:\00Install\new_BES_certificate_request.csr -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -storepass "changeit"
5.) Now the sign request must be signed by the CA. This could be your own Microsoft Active Directory CA. Download and store the signed certificate as Base 64 on the BES Server.
6.) Import the certificate into the keystore via:
keytool -import -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\BAS\bin\web.keystore" -trustcacerts -file C:\00Install\new_BES_Certificate(base64).cer -storepass "changeit"
7.) Restart the BAS Service or reboot the BES Server