ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

renew CAPC console https certs

book

Article ID: 237808

calendar_today

Updated On:

Products

DX NetOps

Issue/Introduction

We have the CAPC console running on https.

We have a default keystore in

/opt/CA/PerformanceCenter/jetty/etc/keystore

 

We have been provided with a new cert and keyfile:

Longname.cer

Longname.key

 

How can we use the new certs with the least disruption?

 

Cause

https (SSL) certs expire, usually once a year.

The DX Netops docset has steps to update the certs using a new CSR based on the existing keystore.

But often the internal CA at most companies send the certs without using the CSR.

 

CA = Certificate Authority

CSR = Certificate Signing Request

Environment

Release : 20.2.x

Release : 21.2.x

Component : NetOps Portal web server

Resolution

We have the CAPC console running on https.

We have a default keystore in

/opt/CA/PerformanceCenter/jetty/etc/keystore

 

Customer has new certs

Longname.cer

Longname.key

To see what is in the cert:

     openssl x509 -in file.cer -noout -text

..

To decrypt the key file for import:

     openssl rsa -in file1.key -out newkey.key    

     cat newkey.key

should stop and start with key begin/end

..

How can we use the new certs with the least disruption?

First backup the keystore

     cp keystore keystore.date

List the contents of the keystore and this will also show that you know the password:

Identify the keytool you want to use:

[[email protected] etc]# which keytool

/usr/bin/keytool

This is not the one we want, so find the one we want

[[email protected] etc]# locate keytool

/etc/alternatives/keytool

/etc/alternatives/keytool.1.gz

/opt/CA/jre/bin/keytool

………….

Use the right keytool:

     /opt/CA/jre/bin/keytool -list -v -keystore keystore -storepass changeit

 If you omit -storepass, it will prompt for password, in case you don’t want it saved in history.

..

Take the .cer and .key and make a keystore

move the .cer and the .key files to a new folder. (in this case, we used /opt/CA/certs for the new folder)

Now create a new keystore in /opt/CA/certs, and use the SAME password as the old keystore

    openssl pkcs12 -export -n file.cer -inkey newkey.key -out keystore -name capc

-name = the alias in the old keystore, but can be anything

This will prompt for a password, and that becomes the storepass for this keystore.

In this case we used the same password as the keystore we are replacing.

 

Now we can list the contents of the new keystore

   keytool -list -v -keystore keystore

..

Stop services, replace the keystore in /opt/CA/PerformanceCenter/jetty/etc

     systemctl stop caperf* (stops all services)

     systemctl status caperf*

we already backed-up the keystore above

     cp /opt/CA/certs/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore

prompt to overwrite, yes

now start the services:

     systemctl start caperfcenter_sso caperfcenter_eventmanager caperfcenter_devicemanager; sleep 20; systemctl start caperfcenter_console

     systemctl status caperf*

open the console in a browser and verify that the new cert is in play

..

..

If the DA datasource is using https:

You can do the exact same steps for the keystore on the DA:

 

On the da the keystore is located:

/opt/IMDataAggregator/apache-karaf/etc/keystore

 

Same steps as above

Stop the dadaemon

Backup old keystore

Replace with new keystore

Start the dadaemon

 

Open a browser and hit rest:

https://da:8582/rest

And we see the new cert

Command summary:

 

  1. To see what is in the cert:

openssl x509 -in file.cer -noout -text

 

    2. To decrypt the key file for import:

openssl rsa -in file1.key -out newkey.key

cat newkey.key

should stop and start with key begin/end

  1. backup the keystore

cp keystore keystore.date

 

     4. Get the alias (name) from the old keystore

 /opt/CA/jre/bin/keytool -list -v -keystore keystore -storepass changeit

 

     5. Now create a new keystore, and use the SAME password as the old keystore (in a different folder)

    openssl pkcs12 -export -n file.cer -inkey newkey.key -out keystore -name capc

-name = the alias in the old keystore, but can be anything

 

     6. Now we can list the contents of the new keystore

   keytool -list -v -keystore keystore

 

     7. Stop services, replace the keystore in jetty/etc

     systemctl stop caperf* (stops all services)

     systemctl status caperf*

we already backed-up the keystore above

     cp /opt/CA/certs/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore

prompt to overwrite, yes

 

     8. now start the services:

     systemctl start caperfcenter_sso caperfcenter_eventmanager caperfcenter_devicemanager; sleep 20; systemctl start caperfcenter_console

     systemctl status caperf*

 

     9. Do the exact same steps on the DA,

On the da the keystore is located:

/opt/IMDataAggregator/apache-karaf/etc/keystore

Additional Information

If you prefer, you can use keytool instead of openssl to decrypt the key:

   openssl rsa -in file1.key -out newkey.key    

VS

     keytool -printcert -file <filename.pem>" 

This would confirm the key is in x.509 pem or .der format.   And show us the new Issuer/Owner, expiration date.

 

Attachments