Using HTTPS to access TeamCity server

This document describes how to configure various TeamCity server clients to use HTTPS for communicating with the server. We assume that you have already configured HTTPS in your web server.
See how to do this for Tomcat here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html. It's also a common approach to setup a middle server like Apache that will handle HTTPS but will use Tomcat to handle the requests.

Authenticating with server certificate (HTTPS with no client certificate)

If your certificate is valid (i.e. it was signed by a well known Certificate Authority like Verisign), then TeamCity clients should work with HTTPS without any additional configuration. All you have to do is to use https:// links to the TeamCity server instead of http://.

If your certificate is not valid:

• To enable HTTPS connections from TeamCity Visual Studio plugin and Tray notifier, point your Internet Explorer to the TeamCity server using https:// URL and import the server certificate into the browser. After that Visual Studio Plugin and Windows Tray Notifier should be able to connect by HTTPS.
• To enable HTTPS connections from Java clients (TeamCity Agents, IntelliJ IDEA, Eclipse), save server certificate to a file, and then import it into the corresponding Java keystore using keytool program. By default, Java keystore is protected by password: changeit
• For Build Agent import certificate, use the following command:
• For IntelliJ Platform Plugin or Eclipse Plugin:

Authenticating with the help of client certificate

Importing client certificate
If you need to use client certificate to access the TeamCity server via https from IntelliJ IDEA, Eclipse or the agents, you will need to add the certificate to Java keystore and supply the keystore to the JVM used by the IDE.

1. If you have your certificate in p12 file, you can use the following command to convert it to a Java keystore. Make sure you use keytool from JDK 1.6 because earlier versions may not understand p12 format.

This commands extracts the certificate with alias "1" from your .p12 file and adds it to Java keystore
You should know <path to your .p12 certificate> and <password of your p12 certificate> and you can provide new values for <path to keystore file> and <keystore password>.

Here, keypass should be equal to storepass because only storepass is supplied to JVM and if keypass is different, one may get error: "java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: com.sun.net.ssl.internal.ssl.DefaultSSLContextImpl)".

Importing root certificate to organaize a chain of trust
If your certificate is not signed by a trusted authority you will also need to add the root certificate from your certificate chain to a trusted keystore and supply this trusted keystore to JVM.

2. You should first extract the root certificate from your certificate. You can do this from a web browser if you have the certificate installed, or you can do this with OpenSSL tool using the command:

You should know <path to your .p12 certificate> and it's password (to enter it when prompted). You should specify new values for <path to your certificate in .pem format> and for the pem pass phrase when prompted.

3. Then you should extract the root certificate (the root certificate should have the same issuer and subject fields) from the pem file (it has text format) to a separate file. The file should look like:

Let's assume it's name is <path to root certificate>.

4. Now import the root certificate to the trusted keystore with the command:

Here you can use new values for <trust keystore path> and <trust keystore password> (or use existing trust keystore).

Starting IDE

Now you need to pass the following parameters to the JVM when running the appllication:

For IntelliJ IDEA you can add the lines into bin\idea.exe.vmoptions file (one option per line).
For the agent, see agent startup properties.