Page tree
Skip to end of metadata
Go to start of metadata

Product Version: 7.0
Last Modified: 20 Mar 2017

Question

How to install or change a Director SSL Certificate?

Answer

Generating a New SSL Certificate

Linux

  1. Stop the product service
  2. Locate jre/bin/keytool program in the Director main folder
  3. Run keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 3560
  4. Use product_2011! as a password
  5. Enter your information following the program prompts
  6. Copy the generated file from the current user home folder to tomcat/cert in the Director main folder, replacing the existing one. server.pem and server_private.pem can be ignored, since they only used under Windows
  7. Start the product service.

Windows

  1. Stop the product service
  2. Open the command prompt: Start > Run... type cmd and click OK
  3. Go to jre\bin\folder in the Director main folder. By default, you can run a command cd "C:\Program Files\NAKIVO Backup & Replication\jre\bin"
  4. Run keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -validity 3560
  5. Use product_2011! as the password
  6. Enter your information following the program prompts
  7. Convert the certificates from the created keystore using the Keytool IUI tool. You must have Java IDE to run it.
    1. Locate .keystore file in C:\Documents & Settings\USER_NAME
    2. Make a copy of this file
    3. Rename it to keystore.ks
    4. In Keytool IUI: Export > Private key's first certificate in chain > As simple cert. Source: JKS. Target: PEM > to server.pem (this is SSLCertificateFile).
      Generating a New SSL Certificate on Windows 
    5. Select the tomcat entry and export
      tomcat entry 
    6. In Keytool IUI: Export > Keystore's Entry > Private key. Source: JKS, Target: PEM > to server_private.pem. Select an arbitrary name and options for the Certiticates chain file as it is not used
      arbitrary name and options for the Certiticates chain file 
    7. Private key file is SSLCertificateKeyFile. Select the 1st entry and export
    8. Copy .keystore, server.pem, server_private.pem to tomcat/cert in the Director main folder, replacing the existing one. server.pem and server_private.pem are used under Windows OS, .keystore is used under Linux OS
  8. Start the product service

Changing an SSL Certificate

Only RSA certificates are supported. DSA certificates are not.

Linux

First, locate the following files:

  • mycert.pem - your certificate
  • mykey.pem - a private key for your certificate
  • cabundle.pem - root CA certificate bundle.

Then check if you have an openssl package installed (usually it is installed with the OS).

Next, do the following:

  1. Stop NAKIVO Director service
  2. (optional) If you have certificates and key in CRT format they should be converted into PEM format:

    openssl x509 -in mycert.crt -out mycert.pem -outform PEM
    openssl x509 -in cabundle.crt -out cabundle.pem -outform PEM
  3. Create a pkcs12 file containing the certificate and the private key:

    openssl pkcs12 -export -in mycert.pem -inkey mykey.pem -out keyAndCert.p12 -name tomcat -certfile cabundle.pem -caname root
  4. Remove existing cert from keystore:

    /opt/nakivo/director/jre/bin/keytool -delete -alias tomcat -storepass product_2011! -keystore /opt/nakivo/director/tomcat/cert/.keystore
  5. Import in the existing keystore replacing the previous tomcat certificate:

    /opt/nakivo/director/jre/bin/keytool -importkeystore -srckeystore keyAndCert.p12 -srcstoretype PKCS12 -destkeystore /opt/nakivo/director/tomcat/cert/.keystore -deststoretype JKS -deststorepass product_2011! -destkeypass product_2011!
  6. Import CA root certificate into the keystore

    /opt/nakivo/director/jre/bin/keytool -import -alias root -storepass product_2011! -keystore /opt/nakivo/director/tomcat/cert/.keystore -trustcacerts -file cabundle.pem
  7. Start the product service.

Windows

  1. Stop the product service
  2. Open the product folder. By default it is C:\Program Files\NAKIVO Backup & Replication
  3. Replace the tomcat\cert\server.pem with the server certificate
  4. Replace the tomcat\cert\server_private.pem with the server private key
  5. Edit the tomcat\conf\server-windows.xml string:
    SSLPassword="product_2011!"
    with the password that was used to encrypt the private key.
  6. Start the product service.

  • No labels