How to update the NetOps Portal HTTPS certificate

book

Article ID: 37756

calendar_today

Updated On:

Products

CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps

Issue/Introduction

By using the existing keystore/private certificate, we maintain the private key/keystore passwords so these do not need to be changed in the ssl.ini files.

How to update the NetOps Portal HTTPS certificate

How to convert the NetOps Portal HTTPS certificate from a Self-Signed Certificate to a CA-Signed Certificate

HTTPP Status 500 - Internal Server Error

The server encountered an unexpected condition that prevented it from fulfilling the request. 

My HTTPS certificate is expiring

Environment

All supported releases of NetOps Performance Management

Resolution

To update the NetOps Portal server certificate

  1. List the alias of the existing keypair in the jetty keystore:

    /opt/CA/jre/bin/keytool -list -keystore <installDirectory>/PerformanceCenter/jetty/etc/keystore -storepass <keystorePassword>


    The keystore password is in the field (it may be obfuscated if configured as such prior):


    jetty.sslContext.keyStorePassword=PASSWORD


    This is in the file:

    /opt/CA/PerformanceCenter/PC/start.d/ssl.ini 

    PASSWORD will be the actual keystore password in your files. The <installDirectory> is /opt/CA by default, but it may be different in your install.  For Example:

    /opt/CA/jre/bin/keytool -list -keystore /opt/CA/PerformanceCenter/jetty/etc/keystore -storepass changeit

    Keystore type: JKS
            Keystore provider: SUN

            Your keystore contains 1 entry

            capc, Feb 4, 2020, PrivateKeyEntry,
            Certificate fingerprint (SHA1): AB:CD:EF:D0:A1:B2:C3:D4:E5:F6:AB:CD:EF:A1:B2:C3:D4:E5:F6:D0

    In the example above "capc" woudl be the alias to use when exporting the certificate signing request (CSR) in step 2.      

  2. Generate the CSR from the private certificate in the existing jetty keystore:  
    a. Change to the directory containing the jetty keystore

    cd <installDirectory>/PerformanceCenter/jetty/etc

    b. Generate the CSR:

    /opt/CA/jre/bin/keytool -certreq -keystore keystore -storepass <keystorePassword>  -ext SAN=dns:[FQHN] -alias <aliasFromStep1>  -file <requestfileName>

    The keystore password can be obtained from the /opt/CA/PerformanceCenter/PC/start.d/ssl.ini file  

     


    field:


    jetty.sslContext.keyManagerPassword=PASSWORD


    PASSWORD will be the actual private keys password in your files. For Example:

    /opt/CA/jre/bin/keytool -certreq -keystore keystore -storepass changeit -alias capc -keypass changeit -file capc.csr

    In the example above capc.csr would be the CSR file to present to your Certificate Authority (CA) for signing. 

  3. Have your Certificate Authority (CA) provide a signed certificate from this CSR.

  4. If a new Root CA or Intermediate CA is used to sign the certificate, you must import the new Root CA and Intermediate CA files into the Java keystore before importing the new jetty certificate if the certificates do not already exist in the Java keystore:
    a. To list the existing keys in the Java keystore:

    /opt/CA/jre/bin/keytool -list -v -keystore /opt/CA/jre/lib/security/cacerts -storepass <cacertsPassword>

    In the example above <cacertsPassword> would the password of the Java keystore. The default password is changeit.

    b. Import the certificate(s) if needed:

    /opt/CA/jre/bin/keytool -importcert -keystore /opt/CA/jre/lib/security/cacerts -storepass <cacertspasswd> -alias <alias> -file <certificateFile>


    NOTE: If you are using a different Root/Intermediate certificate, use different aliases than the original certificates.
    When importing the new Root/Intermediate certificates into the cacerts keystore. This way the original certificates are retained and the old jetty keystore put back in place should something not work correctly.

  5. Back up the jetty keystore:
    a. Change to the directory containing the jetty keystore

    cd <installDirectory>/PerformanceCenter/jetty/etc


    b. Back up the keystore

    cp keystore keystore.orig

  6. Import the new certificate:

    /opt/CA/jre/bin/keytool -importcert -trustcacerts -keystore <installDirectory>/PerformanceCenter/jetty/etc/keystore -storepass <storepasswd> -alias <alias_name>  -file <certificateFile>

    NOTE: The alias used when importing MUST match the exsiting alias as noted in step 1. For Example:

    /opt/CA/jre/bin/keytool -importcert -trustcacerts -keystore keystore -storepass changeit -alias capc -keypass changeit -file capc.crt

  7. Restart the CAPC processes:

    /sbin/service caperfcenter_console stop
    /sbin/service caperfcenter_devicemanager stop
    /sbin/service caperfcenter_sso stop

    /sbin/service caperfcenter_sso start
    /sbin/service caperfcenter_devicemanager start
    /sbin/service caperfcenter_console start