We have the CAPC console running on https.

We have a default keystore in

/opt/CA/PerformanceCenter/jetty/etc/keystore

Customer has new certs

Longname.cer

Longname.key

To see what is in the cert:

     openssl x509 -in file.cer -noout -text

..

To decrypt the key file for import:

     openssl rsa -in file1.key -out newkey.key    

     cat newkey.key

should stop and start with key begin/end

..

How can we use the new certs with the least disruption?

First backup the keystore

     cp keystore keystore.date

List the contents of the keystore and this will also show that you know the password:

Identify the keytool you want to use:

[root@host etc]# which keytool

/usr/bin/keytool

This is not the one we want, so find the one we want

[root@host etc]# locate keytool

/etc/alternatives/keytool

/etc/alternatives/keytool.1.gz

/opt/CA/jre/bin/keytool

………….

Use the right keytool:

     /opt/CA/jre/bin/keytool -list -v -keystore keystore -storepass changeit

 If you omit -storepass, it will prompt for password, in case you don’t want it saved in history.

..

Take the .cer and .key and make a keystore

move the .cer and the .key files to a new folder. (in this case, we used /opt/CA/certs for the new folder)

Now create a new keystore in /opt/CA/certs, and use the SAME password as the old keystore

    openssl pkcs12 -export -n file.cer -inkey newkey.key -out keystore -name capc

-name = the alias in the old keystore, but can be anything

This will prompt for a password, and that becomes the storepass for this keystore.

In this case we used the same password as the keystore we are replacing.

Now we can list the contents of the new keystore

   keytool -list -v -keystore keystore

..

Stop services, replace the keystore in /opt/CA/PerformanceCenter/jetty/etc

     systemctl stop caperf* (stops all services)

     systemctl status caperf*

we already backed-up the keystore above

     cp /opt/CA/certs/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore

prompt to overwrite, yes

now start the services:

     systemctl start caperfcenter_sso caperfcenter_eventmanager caperfcenter_devicemanager; sleep 20; systemctl start caperfcenter_console

     systemctl status caperf*

open the console in a browser and verify that the new cert is in play

..

..

If the DA datasource is using https:

You can do the exact same steps for the keystore on the DA:

On the da the keystore is located:

/opt/IMDataAggregator/apache-karaf/etc/keystore

Same steps as above

Stop the dadaemon

Backup old keystore

Replace with new keystore

Start the dadaemon

Open a browser and hit rest:

https://da:8582/rest

And we see the new cert

…

Command summary:

1. To see what is in the cert:

openssl x509 -in file.cer -noout -text

    2. To decrypt the key file for import:

openssl rsa -in file1.key -out newkey.key

cat newkey.key

should stop and start with key begin/end

3. backup the keystore

cp keystore keystore.date

     4. Get the alias (name) from the old keystore

 /opt/CA/jre/bin/keytool -list -v -keystore keystore -storepass changeit

     5. Now create a new keystore, and use the SAME password as the old keystore (in a different folder)

    openssl pkcs12 -export -n file.cer -inkey newkey.key -out keystore -name capc

-name = the alias in the old keystore, but can be anything

     6. Now we can list the contents of the new keystore

   keytool -list -v -keystore keystore

     7. Stop services, replace the keystore in jetty/etc

     systemctl stop caperf* (stops all services)

     systemctl status caperf*

we already backed-up the keystore above

     cp /opt/CA/certs/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore

prompt to overwrite, yes

     8. now start the services:

     systemctl start caperfcenter_sso caperfcenter_eventmanager caperfcenter_devicemanager; sleep 20; systemctl start caperfcenter_console

     systemctl status caperf*

     9. Do the exact same steps on the DA,

On the da the keystore is located:

/opt/IMDataAggregator/apache-karaf/etc/keystore