logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

Workload: How can cert be updated or changed after appliance registration?

Workload: How can cert be updated or changed after appliance registration?

Environment

Workload Appliance


Objective

How can a certificate be updated, changed or replaced after appliance registration?

Resolution

  1. Navigate to a folder where we want to generate keystore and truststore from the ca- signed certificate.
  2. Create keystore from ca signed certificate 
    1. openssl pkcs12 -export -in <Path_to_cert> -inkey <Path_to_key> -name 'cwp-appliance' -out gateway-keystore.p12
      • Do not change the value of argument -name. This value must remain 'cwp-appliance'.
      • <path_to_cert> is the path to CA signed certificate.  <path_to_key> is the path to private key
    2.  Set password in prompt (Enter Export Password). This will be the keystore password
    3. Eg: 
      openssl pkcs12 -export -in /Users/<username>/Downloads/sbu_vmware_com_140668505/sbu_vmware_com.crt -inkey /Users/<username>/Downloads/sbu_vmware_com.key -name 'cwp-appliance' -out gateway-keystore.p12
  3. Create truststore 
    1. keytool -importcert -storetype PKCS12 -keystore gateway-truststore.p12 -storepass <keystore-password> -alias cwp-appliance -file <Path_to_cert> -noprompt
    2. eg: 
      keytool -importcert -storetype PKCS12 -keystore gateway-truststore.p12 -storepass changeit -alias cwp-appliance -file /Users/Downloads/sbu_vmware_com_140668505/sbu_vmware_com.crt -noprompt
  4. From current folder move these certificates to appliance 
    1. scp <keystore-file-name> <truststore-file-name> admin@10.192.39.208:/home/admin
    2. Eg : 
      scp gateway-keystore.p12 gateway-truststore.p12 admin@<APPLIANCE_IP>:/home/admin
    3. (Provide admin password on prompt)
  5. SSH to your appliance 
    1. ssh admin@<APPLIANCE_IP>
  6. Navigate to folder /opt/vmware/cwp/appliance-gateway/ssl 
    1. cd /opt/vmware/cwp/appliance-gateway/ssl
  7. Create a backup of existing certificates 
    1. sudo mv gateway-truststore.p12 gateway-truststore.p12.bkp
    2. sudo mv gateway-keystore.p12 gateway-keystore.p12.bkp
  8. Copy new certificates from the /home/admin folder to current folder 
    1. sudo mv /home/admin/gateway-truststore.p12 .
    2. sudo mv /home/admin/gateway-keystore.p12 .
  9. Provide correct ownership to the certificates 
    1. sudo chown root:cwp gateway-keystore.p12
    2. sudo chown root:cwp gateway-truststore.p12
  10. navigate to folder /opt/vmware/cwp/appliance-gateway/config 
    1. cd /opt/vmware/cwp/appliance-gateway/config
  11. Create a backup of application.yml 
    1. sudo cp application.yml application.yml.bkp
  12. Change password details in application.yml 
    1. sudo vi application.yml
      • This will open application.yml file
    2. Press (Esc+ I) to enable insert and change key-store-password and trust-store-password to the password mentioned while creating keystore and truststore (in above steps)
    3. Save changes (Press Esc + and then type wq) .
    4. run command (cat application.yml) to validate details
    5. Output (application.yml file) should be as given below :
server:
  ssl:
    key-store-password: xxxxxx
    trust-store-password: xxxxx
 
  1. Restart the gateway service: 
    1. sudo systemctl restart cwp-appliance-gateway.service
  2. Login into the appliance via ui

Related Content


Labels (2)
Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎07-29-2021
Views:
719
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.