How to update the Performance Center SSL/TLS certificate


Article ID: 37756


Updated On:


CA Infrastructure Management CA Performance Management - Usage and Administration DX NetOps


By using the existing keystore/private certificate, we maintain the private key/keystore passwords so these do not need to be changed in the ssl.ini files.

How to update the Performance Center SSL / TLS / HTTPS certificate

How to convert the Performance Center SSL / TLS / HTTPS certificate from a Self-Signed Certificate to a CA-Signed Certificate


Release: IMDAGG99000-3.7-Performance Management


To update the CA Performance Center (CAPC)  SSL certificates

1. List the alias of the existing keypair in the jetty keystore:

/opt/CA/jre/bin/keytool -list -keystore <installDirectory>/PerformanceCenter/jetty/etc/keystore -storepass <keystorePassword>

The keystore password can be obtained from:

   .  /opt/CA/PerformanceCenter/PC/start.d/ssl.ini file  field:


       PASSWORD will be the actual keystore password in your files.

    The <installDirectory> is /opt/CA by default, but may be different in your install.


        /opt/CA/jre/bin/keytool -list -keystore /opt/CA/PerformanceCenter/jetty/etc/keystore -storepass changeit

        Keystore type: JKS
        Keystore provider: SUN

        Your keystore contains 1 entry

        myaliasname, Feb 4, 2016, PrivateKeyEntry,
        Certificate fingerprint (SHA1): AB:CD:EF:D0:A1:B2:C3:D4:E5:F6:AB:CD:EF:A1:B2:C3:D4:E5:F6:D0

    In the example above "myaliasname" woudl be the alias to use when exporting the certificate signing request (CSR) in step 2.      


2. Generate the CSR from the private certificate in the existing jetty keystore:  

    a. Change to the directory containing the jetty keystore

        cd <installDirectory>/PerformanceCenter/jetty/etc

    b. Generate the CSR:

        /opt/CA/jre/bin/keytool -certreq -keystore keystore -storepass <keystorePassword>  -ext SAN=dns:[FQHN] -alias <aliasFromStep1>  -file <requestfileName>


    The keystore password can be obtained from:

    a. For CAPC 2.6 and earlier, the <installDirectory>/PerformanceCenter/PC/etc/jetty-ssl.xml XML field:

        <Set name="KeyPassword">PASSWORD</Set>

    b. For CAPC 2.7 and later, the /opt/CA/PerformanceCenter/PC/start.d/ssl.ini file  field:


       PASSWORD will be the actual private keys password in your files.


        /opt/CA/jre/bin/keytool -certreq -keystore keystore -storepass changeit -alias myaliasname -keypass changeit -file myaliasname.csr

       In the example above myaliasname.csr would be the CSR file to present to your CA for signing. 

3. Have your Certificate Authority (CA) provide a signed certificate from this CSR.

4. If a new Root CA or Intermediate CA is used to sign the certificate, you must import the new Root CA and Intermediate CA files into
    the Java keystore before importing the new jetty certificate if the certificates do not already exist in the Java keystore:

    a. To list the existing keys in the Java keystore:

        /opt/CA/jre/bin/keytool -list -v -keystore /opt/CA/jre/lib/security/cacerts -storepass <cacertsPassword>

       In the example above <cacertsPassword> would the password of the Java keystore. The default password is changeit.

    b. Import the certificate(s) if needed:

        /opt/CA/jre/bin/keytool -importcert -keystore /opt/CA/jre/lib/security/cacerts -storepass <cacertspasswd> -alias <alias> -file <certificateFile>

       NOTE: If you are using a different Root/Intermedate certificate, use different aliases than the original certificates.
                   When importing the new Root/Intermedate certificates into the cacerts keystore. This way the original certificates
                   are retained and the old jetty keystore put back in place should something not work correctly.

5. Back up the jetty keystore:

    a. Change to the directory containing the jetty keystore

        cd <installDirectory>/PerformanceCenter/jetty/etc

    b. Back up the keystore

        cp keystore keystore.orig

6. Import the new certificate:

    /opt/CA/jre/bin/keytool -importcert -trustcacerts -keystore <installDirectory>/PerformanceCenter/jetty/etc/keystore -storepass <storepasswd> -alias <alias_name>  -file <certificateFile>

    NOTE: The alias used when importing MUST match the exsiting alias as noted in step 1.


        /opt/CA/jre/bin/keytool -importcert -trustcacerts -keystore keystore -storepass changeit -alias myaliasname -keypass changeit -file myaliasname.crt

7. Restart the CAPC processes:

    /sbin/service caperfcenter_console stop
    /sbin/service caperfcenter_devicemanager stop
    /sbin/service caperfcenter_sso stop

    /sbin/service caperfcenter_sso start
    /sbin/service caperfcenter_devicemanager start
    /sbin/service caperfcenter_console start