Update or change a certificate after CWP appliance registration
search cancel

Update or change a certificate after CWP appliance registration

book

Article ID: 285312

calendar_today

Updated On:

Products

Carbon Black Cloud Workload

Issue/Introduction

Steps to update or change a certificate after CWP appliance registration

Environment

  • CWP Workload Appliance: All Versions

Resolution

  1. Navigate to a folder where we want to generate keystore and truststore from the ca- signed certificate.
  2. Create keystore from ca signed certificate 
    1. openssl pkcs12 -export -in <Path_to_cert> -inkey <Path_to_key> -name 'cwp-appliance' -out gateway-keystore.p12
      • Do not change the value of argument -name. This value must remain 'cwp-appliance'.
      • <path_to_cert> is the path to CA signed certificate.  <path_to_key> is the path to private key
    2.  Set password in prompt (Enter Export Password). This will be the keystore password
    3. Eg: 
      openssl pkcs12 -export -in /Users/<username>/Downloads/sbu_vmware_com_140668505/sbu_vmware_com.crt -inkey /Users/<username>/Downloads/sbu_vmware_com.key -name 'cwp-appliance' -out gateway-keystore.p12
  3. Create truststore 
    1. keytool -importcert -storetype PKCS12 -keystore gateway-truststore.p12 -storepass <keystore-password> -alias cwp-appliance -file <Path_to_cert> -noprompt
    2. eg: 
      keytool -importcert -storetype PKCS12 -keystore gateway-truststore.p12 -storepass changeit -alias cwp-appliance -file /Users/Downloads/sbu_vmware_com_140668505/sbu_vmware_com.crt -noprompt
  4. From current folder move these certificates to appliance 
    1. scp <keystore-file-name> <truststore-file-name> admin@<APPLIANCE_IP>:/home/admin
    2. Eg : 
      scp gateway-keystore.p12 gateway-truststore.p12 admin@<APPLIANCE_IP>:/home/admin
    3. (Provide admin password on prompt)
  5. SSH to your appliance 
    1. ssh admin@<APPLIANCE_IP>
  6. Navigate to folder /opt/vmware/cwp/appliance-gateway/ssl 
    1. cd /opt/vmware/cwp/appliance-gateway/ssl
  7. Create a backup of existing certificates 
    1. sudo mv gateway-truststore.p12 gateway-truststore.p12.bkp
    2. sudo mv gateway-keystore.p12 gateway-keystore.p12.bkp
  8. Copy new certificates from the /home/admin folder to current folder 
    1. sudo mv /home/admin/gateway-truststore.p12 .
    2. sudo mv /home/admin/gateway-keystore.p12 .
  9. Provide correct ownership to the certificates 
    1. sudo chown root:cwp gateway-keystore.p12
    2. sudo chown root:cwp gateway-truststore.p12
  10. navigate to folder /opt/vmware/cwp/appliance-gateway/config 
    1. cd /opt/vmware/cwp/appliance-gateway/config
  11. Create a backup of application.yml 
    1. sudo cp application.yml application.yml.bkp
  12. Change password details in application.yml 
    1. sudo vi application.yml
    2. Press (Esc+ I) to enable insert and change key-store-password and trust-store-password to the password mentioned while creating keystore and truststore (in above steps)
    3. Save changes (Press Esc + and then type wq) .
    4. run command (cat application.yml) to validate details
    5. Output (application.yml file) should be as given below:
    6. server:
  ssl:
    key-store-password: xxxxxx
    trust-store-password: xxxxx
  13. Restart the gateway service: 
    1. sudo systemctl restart cwp-appliance-gateway.service
    2. Login into the appliance via Console
Powered by Wolken Software