TeamCity 9.0 Help

Using HTTPS to access TeamCity server

This document describes how to configure various TeamCity server clients to use HTTPS for communicating with the server. The JVM configuration instructions can also be used to configure TeamCity server JVM to connect to other HTTPS/SSL services.

We assume that you have already configured HTTPS in your TeamCity web server. The most common approach for this is to setup a middle proxying server like Nginx or Apache that will handle HTTPS but will use Tomcat to handle the requests. In the setup please make sure that the middle server/proxy has correct URL rewriting configuration, see also Set Up TeamCity behind a Proxy Server section. For small servers you can also setup HTTPS by the internal Tomcat means. See also a feature request: TW-12976.

Authenticating with server certificate (HTTPS with no client certificate)

If your certificate is valid (i.e. it was signed by a well known Certificate Authority like Verisign), then TeamCity clients should work with HTTPS without any additional configuration. All you have to do is to use https:// links to the TeamCity server instead of http://.

If your certificate is not valid: (so it is self-signed, not signed by a CA)

  • To enable HTTPS connections from TeamCity Visual Studio Addin and Windows Tray Notifier, point your Internet Explorer to the TeamCity server using https:// URL and import the server certificate into the browser. After that, Visual Studio Addin and Windows Tray Notifier should be able to connect by HTTPS.

  • To enable HTTPS connections from Java clients (TeamCity Agents, IntelliJ IDEA, Eclipse), see the section below for configuring the JVM installation used by the connecting application.

Configuring JVM

Configuring JVM for authentication with server certificate

If your certificate is valid (i.e. it was signed by a well known Certificate Authority like Verisign), then the Java clients should work with HTTPS without any additional configuration.

If your certificate is not valid:To enable HTTPS connections from Java clients:

  • save the CA Root certificate of the server's certificate to a file in one of the supported formats. This can be done in a browser by inspecting certificate data and exporting it as Base64 encoded X.509 certificate.

  • locate the JRE used by the client

    • If there is a JDK installed (like for IntelliJ IDEA), <path to JRE installation> should be <path to used JDK>/jre

    • For TeamCity agent installed under Windows, use "<agent installation path>/jre" as "<path to JRE installation>".

  • import the server certificate into the JRE installation keystore using keytool program:

    keytool -importcert -file <cert file> -keystore <path to JRE installation>/lib/security/cacerts

    By default, Java keystore is protected by password: "changeit"

Configuring JVM for authentication with client certificate

Importing client certificateIf you need to use client certificate to access a server via https (e.g. from IntelliJ IDEA, Eclipse or the build agents), you will need to add the certificate to Java keystore and supply the keystore to the JVM used by the connecting process.

1. If you have your certificate in p12 file, you can use the following command to convert it to a Java keystore. Make sure you use keytool from JDK 1.6+ because earlier versions may not understand p12 format.

keytool -importkeystore -srckeystore <path to your .p12 certificate> -srcstoretype PKCS12 -srcstorepass <password of your p12 certificate> -destkeystore <path to keystore file> -deststorepass <keystore password> -destkeypass <keystore password> -srcalias 1

This commands extracts the certificate with alias "1" from your .p12 file and adds it to Java keystore You should know <path to your .p12 certificate> and <password of your p12 certificate> and you can provide new values for <path to keystore file> and <keystore password>.

Here, keypass should be equal to storepass because only storepass is supplied to JVM and if keypass is different, one may get error: "java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)".

Importing root certificate to organize a chain of trustIf your certificate is not signed by a trusted authority you will also need to add the root certificate from your certificate chain to a trusted keystore and supply this trusted keystore to JVM.

2. You should first extract the root certificate from your certificate. You can do this from a web browser if you have the certificate installed, or you can do this with OpenSSL tool using the command:

openssl.exe pkcs12 -in <path to your .p12 certificate> -out <path to your certificate in .pem format>

You should know <path to your .p12 certificate> and it's password (to enter it when prompted). You should specify new values for <path to your certificate in .pem format> and for the pem pass phrase when prompted.

3. Then you should extract the root certificate (the root certificate should have the same issuer and subject fields) from the pem file (it has text format) to a separate file. The file should look like:

-----BEGIN CERTIFICATE----- MIIGUjCCBDqgAwIBAgIEAKmKxzANBgkqhkiG9w0BAQQFADBwMRUwEwYDVQQDEwxK ... -----END CERTIFICATE-----

Let's assume it's name is <path to root certificate>.

4. Now import the root certificate to the trusted keystore with the command:

keytool -importcert -trustcacerts -file <path to root certificate> -keystore <path to trust keystore file> -storepass <trust keystore password>

Here you can use new values for <trust keystore path> and <trust keystore password> (or use existing trust keystore).

Starting the connecting application JVM

Now you need to pass the following parameters to the JVM when running the application:

-Djavax.net.ssl.keyStore=<path to keystore file> -Djavax.net.ssl.keyStorePassword=<keystore password> -Djavax.net.ssl.trustStore=<path to trust keystore file> -Djavax.net.ssl.trustStorePassword=<trust keystore password>

For IntelliJ IDEA you can add the lines into bin\idea.exe.vmoptions file (one option per line). For the TeamCity build agent, see agent startup properties.

Last modified: 20 April 2023