renew the signer certificate for jenkins

[smerle33]

Service(s)

Release certificates

Summary

Has seen in the weekly build last week : "The signer certificate will expire on 2023-03-30." (code signing certificate)
we need to make sure to renew this.

https://release.ci.jenkins.io/job/core/job/release/job/master/190/consoleFull

Reproduction steps

No response

[dduportal]

@MarkEWaite and I are going to pair on this one. We might need @olblak 's knowledge.

[olblak]

@MarkEWaite and I are going to pair on this one. We might need @olblak 's knowledge.

Feel free to ping

[lemeurherve]

Related: #3361

[dduportal]

We were able to successfully update the code signing certificate during a mob-programming sessions.
Both weekly 2.399 and LTS 2.387.2 were released fully signed.

A summary of the actions taken by the team:

• Received the certificate from Digicert in p7b format.
• As per the (incomplete but Document the code signing certificate renewal process #3361 take care of this) https://github.com/jenkins-infra/release#certificate, we converted the certificate the pfx binary format to allow insertion in the Azure Vault.

# Based from https://knowledge.digicert.com/solution/SO26449.html and https://github.com/jenkins-infra/release/blob/7a03f98eff839d4fed75ea96cf7bebbc963e3a91/README.adoc#certificate

# P7B to PFX: 1/2
openssl pkcs7 -print_certs -in jenkins-release.p7b -out jenkins-release.crt
## Asks for the Export password, transmitted by Digicert from another channel
## Asks for the private key passphrase, generated for the CSR sent to Digicert

# Check certificate attributes
openssl x509 -in jenkins-release.crt -text -noout

# Generate intermediate CA (does not seem required)
openssl pkcs7 -in jenkins-release.p7b -text -print_certs -out intermediateCert.crt

# P7B to PFX: 2/2
openssl pkcs12 -export -in jenkins-release.crt -inkey jenkins-release.key -out jenkins-release.pfx
## Asks for an Export password: do not set any (type enter only)
Enter Export Password: # Empty!!
Verifying - Enter Export Password: # Empty!!

# Check PFX file
openssl pkcs12 -info -in jenkins-release.pfx

# Import the pfx file in Azure Vault with NO password specified

• Unsealed the vault prodjenkinsreleasecore by allowing IP + setting permissions.
• Created a new certificate named prodreleasecore-2023 next to the (expired) prodreleasecore. Same idea as with GPG key expires on March the 30th #3457 : it is easier to switch process without any confusion
  • Certificate does not have a password (empty) when importing in the Azure UI or az CLI. Opened Add a password to the Digicert signing certificate release#362 for this (improvement).
• The setup of release.ci.jenkins.io was updated with the new to hold the new (randomly generated) certificate password
• For weekly release, the following PR changed to the new digicert: feat: ensure that new 2023 digicert is used + GPG 2023 passphrase release#358 and allowed a successfull release (both WAR/jar signing and MSI signing)
• For LTS release: Update stable-2.387 code signing configuration release#359

[dduportal]

• Added 2 events with reminders in the jenkins-infra-team Google calendar
  • The day of expiration with reminder 4, 3 and 1 weeks before (limit of max 4 weeks before)
  • The 20 of January 2026, 4 months before the expiration, middle of the week
• Both releases went well
• Opened Add a password to the Digicert signing certificate release#362 for the password
• Post-mortem will happen in the Jenkins Board session the 10 of April: I'll let @MarkEWaite or myself commenting here any additional elements
• Document the code signing certificate renewal process #3361 for the documentation update