Using SSL certificates with Veracode integrations

SSL certificates allow secure connections from a web server to a browser, domain name, server name, or hostname. Many Veracode integrations use Java, which maintains its own TrustStore. The Java TrustStore may not have the SSL root certificate.

If a Veracode integration is running on a machine that is behind an SSL inspection device, you must import the custom root certificate that the device issues to connect to Veracode. You can obtain a copy of the certificate from your IT staff or use your browser to obtain the certificate manually.

To import a custom root certificate, complete the following tasks:

1. Use your browser to obtain the certificate:
   • Chrome
   • Internet Explorer
   • Firefox
2. Identify the relevant TrustStore
3. Import the certificate into the Java certificate trust

Prerequisites

• You must have a Veracode account.
• If you are using an SSL inspection device, add the Veracode URLs, such as analysiscenter.veracode.com or api.veracode.com, to your allowlist.

Obtain an SSL certificate

To obtain an SSL certificate, complete the steps for one of the following browsers. These procedures use an example GoDaddy certificate, but you might see different certificates depending on your environment. If you have obtained the certificate from your IT team, you can proceed to import the certificate.

Obtain a certificate using Chrome

You can use Google Chrome to obtain an SSL certificate for accessing Veracode.

To complete this task:

1. Sign in to the Veracode Platform.
2. In the browser address bar, select the lock icon.
3. Select Connection is secure > Certificate is valid.
4. In the Certificate Viewer window, select Details.
5. Under Certificate Hierarchy, select the certificate at the top of the list.
6. Select Export.
7. Browse to the location where you want to save the certificate.
8. From the Save as type dropdown, select Base 64-encoded ASCII, certificate chain.
9. Select Save.

Obtain a certificate using Internet Explorer

You can use Microsoft Internet Explorer to obtain an SSL certificate for accessing Veracode.

To complete this task:

1. Open an Internet Explorer browser window as an administrator.
2. Sign in to the Veracode Platform.
3. In the browser address bar, select the lock icon, then select View certificates.
4. In the Certificate Information window, select Certification Path.
5. Select the certificate at the top of the list.
6. Select View Certificate to open the root certificate in its own window.
7. Select Details in the Certificate window. Then, select Copy to File.
8. In the Certificate Export Wizard, select Next. Then, select DER encoded binary X.509 (.CER).
9. Select Next, then enter a name for the root certificate.
10. Select Next. The Certificate Export Wizard shows the result of the certificate exported to your hard drive.
11. Select Finish.

Obtain a certificate using Firefox

You can use Mozilla Firefox to obtain an SSL certificate for accessing Veracode.

To complete this task:

1. Sign in to the Veracode Platform.
2. In the browser address bar, select the lock icon.
3. In the site information window, select the arrow in the Connection section.
4. In the Site Security window, select More Information.
5. Select View Certificate.
6. In the Certificate window, select Details.
7. Select a certificate from the list. Then, select PEM (cert) to download the certificate file.
8. Save the certificate file locally.

Identify a relevant TrustStore for SSL certificates

After creating an SSL certificate you want to use with Veracode integrations, verify which Java Runtime Environment to use with the TrustStore.

Java includes the file \lib\security\cacerts, which is the TrustStore for that Java Runtime Environment (JRE). However, you can install multiple JREs on a single machine, and some products install and use a default Java Development Kit (JDK) and JRE. You must determine which JRE to use.

Product	Default TrustStore	User-customized JRE location
C# API wrapper	Run certmgr.msc. Navigate to Trusted Root Certificate Authorities > Certificates.	Not applicable.
Eclipse/RAD	%JAVA_HOME%\lib\security\cacerts	In Eclipse, select Window > Preferences > Java > Installed JREs
IntelliJ	C:\Program Files\JetBrains\IntelliJ IDEA Community Edition {_version_}\jre{_32/64_}\lib\security\cacerts	Open Find Action. Find "Switch Boot JDK". Identify the JDK in use.
Java API wrapper	[%JAVA_HOME%\lib\security\cacerts]	Not applicable.
Jenkins	Jenkins Server: C:\{Jenkins_install_dir}\jre\lib\security\cacerts	Go to http://Jenkins_url/systeminfo Identify the value next to java.home.
TeamCity	C:\{TeamCity_install_dir}\jre\lib\security\cacerts	Open build_agent_directory\buildAgent.properties in a text editor. Search for the env.JAVA_HOME property. If you see env.JAVA_HOME, it is in the specified directory of the property. Otherwise, it is the default.
Visual Studio	Run certmgr.msc. Go to Trusted Root Certificate Authorities > Certificates.	Not applicable.

Import an SSL certificate

You can import an SSL certificate into the Java certificate TrustStore to enable SSL.

Before you begin:

You must obtain an SSL certificate from your IT team or [using your browser(#obtain-an-ssl-certificate)

To complete this task:

1. Open a command-line window as an administrator.

2. Navigate to the %JAVA_HOME% directory that your Veracode plugin is using.

3. To import the certificate, run:

   keytool -importcert -file C:\temp\example.cer -keystore lib\security\cacerts -alias sslinspection 
    Enter keystore password:                 

4. Enter the keystore password. The default is changeit. A confirmation message opens informing you the certificate is now in the keystore.

5. Enter y to trust the certificate. To complete the import, you might need to restart the IDE or CI/CD where the plugin is running.

6. Optionally, to confirm that the import succeeded, run the following command from the %JAVA_HOME% directory to export the contents of the cacerts file to a text file.

   keytool.exe -list -v -keystore lib\security\cacerts > C:\temp\cacerts.txt