Update or change a certificate after CWP appliance registration
search cancel

Update or change a certificate after CWP appliance registration


Article ID: 285312


Updated On:


Carbon Black Cloud Workload


Steps to update or change a certificate after CWP appliance registration


  • CWP Workload Appliance: All Versions


  1. Navigate to a folder where we want to generate keystore and truststore from the ca- signed certificate.
  2. Create keystore from ca signed certificate
    1. openssl pkcs12 -export -in <Path_to_cert> -inkey <Path_to_key> -name 'cwp-appliance' -out gateway-keystore.p12
      • Do not change the value of argument -name. This value must remain 'cwp-appliance'.
      • <path_to_cert> is the path to CA signed certificate.  <path_to_key> is the path to private key
    2.  Set password in prompt (Enter Export Password). This will be the keystore password
    3. Eg:
      openssl pkcs12 -export -in /Users/<username>/Downloads/sbu_vmware_com_140668505/sbu_vmware_com.crt -inkey /Users/<username>/Downloads/sbu_vmware_com.key -name 'cwp-appliance' -out gateway-keystore.p12
  3. Create truststore
    1. keytool -importcert -storetype PKCS12 -keystore gateway-truststore.p12 -storepass <keystore-password> -alias cwp-appliance -file <Path_to_cert> -noprompt
    2. eg:
      keytool -importcert -storetype PKCS12 -keystore gateway-truststore.p12 -storepass changeit -alias cwp-appliance -file /Users/Downloads/sbu_vmware_com_140668505/sbu_vmware_com.crt -noprompt
  4. From current folder move these certificates to appliance
    1. scp <keystore-file-name> <truststore-file-name> admin@<APPLIANCE_IP>:/home/admin
    2. Eg :
      scp gateway-keystore.p12 gateway-truststore.p12 admin@<APPLIANCE_IP>:/home/admin
    3. (Provide admin password on prompt)
  5. SSH to your appliance
    1. ssh admin@<APPLIANCE_IP>
  6. Navigate to folder /opt/vmware/cwp/appliance-gateway/ssl
    1. cd /opt/vmware/cwp/appliance-gateway/ssl
  7. Create a backup of existing certificates
    1. sudo mv gateway-truststore.p12 gateway-truststore.p12.bkp
    2. sudo mv gateway-keystore.p12 gateway-keystore.p12.bkp
  8. Copy new certificates from the /home/admin folder to current folder
    1. sudo mv /home/admin/gateway-truststore.p12 .
    2. sudo mv /home/admin/gateway-keystore.p12 .
  9. Provide correct ownership to the certificates
    1. sudo chown root:cwp gateway-keystore.p12
    2. sudo chown root:cwp gateway-truststore.p12
  10. navigate to folder /opt/vmware/cwp/appliance-gateway/config
    1. cd /opt/vmware/cwp/appliance-gateway/config
  11. Create a backup of application.yml
    1. sudo cp application.yml application.yml.bkp
  12. Change password details in application.yml
    1. sudo vi application.yml
    2. Press (Esc+ I) to enable insert and change key-store-password and trust-store-password to the password mentioned while creating keystore and truststore (in above steps)
    3. Save changes (Press Esc + and then type wq) .
    4. run command (cat application.yml) to validate details
    5. Output (application.yml file) should be as given below:
    6. server:
          key-store-password: xxxxxx
          trust-store-password: xxxxx
  13. Restart the gateway service:
    1. sudo systemctl restart cwp-appliance-gateway.service
    2. Login into the appliance via Console