Administer > Manage Certificates > Using the JKS Repository of Certificates > Replacing an Existing Certificate with a New Self-Signed or CA-Signed Certificate

Replacing an Existing Certificate with a New Self-Signed or CA-Signed Certificate

A self-signed certificate is created and installed during NNMi installation. You would typically replace a certificate in any of the following scenarios:

  • To use a new self-signed or CA-signed certificate instead of the default certificate.
  • To renew an expired certificate.

To replace a certificate, do the following:

  1. Generate a self-signed certificate. For details, see Generating a Self-Signed Certificate.

  2. If you organization requires the certificate to be signed by a CA, generate a CSR (Certificate Signing Request) file and obtain a CA signed certificate. For details, see Generating a CA-Signed CertificateGenerating a CA-Signed Certificate
  3. Open the following file and update the com.hp.ov.nms.ssl.KEY_ALIAS variable to the value you used for <alias> while generating a certificate.

    • Windows: %NNM_CONF%\nnm\props\nms-local.properties
    • Linux: $NNM_CONF/nnm/props/nms-local.properties
  4. Restart the NNMi Management Server.
    1. Run the ovstop command on the NNMi management server.

    2. Run the ovstart command on the NNMi management server.

      When making file changes under High Availability (HA), you need to make the changes on both nodes in the cluster. For NNMi using HA configurations, if the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands.

  5. Test HTTPS access to the NNMi console using the following syntax:

    https://<fully_qualified_domain_name>:<port_number>/nnm/.

    If you have used CA-signed certificate and if the browser trusts the CA, it will trust the HTTPS connection to the NNMi console.

    If you have used self-signed certificate, browser displays a warning message about the untrusted HTTPS connection to the NNMi Console.

Generating a Self-Signed Certificate

To generate a self-signed certificate, follow these steps:

  1. Change to the directory on the NNMi management server that contains the nnm.keystore and nnm.truststore files:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  2. Save a backup copy of the nnm.keystore file.

    Note  

    • If you are replacing an existing NNMi certificate, do not remove the existing certificate until you complete these steps. NNMi must start up at least once with both the old and new certificate installed so that it can transfer encrypted information to the new certificate.
    • Make sure the alias points to the new certificate as described in the next step to ensure NNMi presents the new certificate on the NNMi management server to the client servers.
  3. Generate a private key from your system. Use the keytool command to generate this private key:
    1. Run the following command exactly as shown:

      • Windows: %jdkdir%\bin\keytool.exe -genkeypair - validity 3650 -keyalg rsa -keystore nnm.keystore -storepass nnmkeypass - alias <alias_name>
      • Linux: $jdkdir/bin/keytool -genkeypair -validity 3650 -keyalg rsa -keystore nnm.keystore -storepass nnmkeypass -alias <alias_name>

        Note The alias, referred to as <alias_name> in this example, identifies this newly-created key. Although the alias can be any string, recommends you use the fully-qualified domain name (FQDN) followed by a suffix to help you easily identify the right version. For example, you can use alias name as myserver.mydomain-<number> or myserver.mydomain-<date>.

    2. Enter the requested information.

      Caution When prompted for your first and last name, enter the FQDN of your system.

      A self-signed certificate is generated.

      For obtaining CA-signed certificates, you need to additionally generate and submit a CSR file to a CA. For more information, see Generating a CA-Signed Certificate.

      recommends that you use CA-signed certificates.

Generating a CA-Signed Certificate

To obtain and install a CA-signed certificate, follow these steps:

  1. Generate a self-signed certificate. For details, see Generating a Self-Signed Certificate.
  2. Run the following command to create a CSR (Certificate Signing Request) file:

    • Windows:%jdkdir%\bin\keytool.exe -keystore nnm.keystore -certreq -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE
    • Linux: $jdkdir/bin/keytool -keystore nnm.keystore -certreq -storepass nnmkeypass -alias <alias_name> -file CERTREQFILE

    Note  

    • In the command above, <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
    • For more information about the keytool command, search for “Key and Certificate Management Tool” at http://www.oracle.com/technetwork/java/index.html.
  3. Send the CSR to your CA signing authority which signs and returns the certificate files. For information on different types of CA certificates, see Types of CA-Signed Certificates.
  4. Copy the files containing these certificates to a location on the NNMi management server. For this example, copy the files to the following location:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  5. Change to the directory on the NNMi management server that contains the nnm.keystore and nnm.truststore files:

    • Windows: %NnmDataDir%\shared\nnm\certificates
    • Linux: $NnmDataDir/shared/nnm/certificates
  6. Run the following command to import the certificate into the nnm.keystore file:

    Windows:

    • %jdkdir%\bin\keytool.exe -importcert -trustcacerts -keystore nnm.keystore -storepass nnmkeypass -alias <alias_name> -file <myserver.crt>

    Linux:

    • $jdkdir/bin/keytool -importcert -trustcacerts -keystore nnm.keystore -storepass nnmkeypass -alias <alias_name> -file <myserver.crt>

      Note  

      • In the above command,
        • <myserver.crt> corresponds to the full path of the location where you have stored the signed server certificate.
        • <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
      • If you use the -storepass option and provide the password, the keystore program does not prompt you for the keystore password. If you do not use the -storepass option, enter nnmkeypass when prompted for the keystore password.
  7. When prompted to trust the certificate, enter: y

    Example output for importing a certificate into the keystore

    The output from the command is of the form:

    Owner: CN=NNMi_server.example.com
    Issuer: CN=NNMi_server.example.com
    Serial number: 494440748e5
    Valid from: Tue Oct 28 10:16:21 MST 2008 until: Thu Oct 04 11:16:21 MDT 2108
    Certificate fingerprints:
    MD5:  29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02
    SHA1: C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03:7E:C4:03
    Trust this certificate? [no]:  y
    Certificate was added to keystore
  8. Run the following commands to import the certificate into the nnm.truststore file:

    • Windows:

      %jdkdir%\bin\keytool.exe -import -alias <alias_name> -keystore nnm.truststore -file <myca.crt>
    • Linux:

      $jdkdir/bin/keytool -import -alias <alias_name> -keystore nnm.truststore -file <

      myca.crt>

      Note  

      • In the above command,
        • <myca.crt> corresponds to the full path of the location where you have stored the CA certificates.
        • <alias_name> corresponds to the alias you had provided at the time of generating the certificate.
      • If you use the -storepass option and provide the password, the keystore program does not prompt you for the keystore password. If you do not use the -storepass option, enter nnmkeypass when prompted for the keystore password.
  9. When prompted for the truststore password, enter: ovpass.
  10. Examine the contents of the truststore:
    • Windows:

      %jdkdir%\bin\keytool -list -keystore nnm.truststore
    • Linux:

      $jdkdir/bin/keytool -list -keystore nnm.truststore

    When prompted for the truststore password, enter: ovpass

    Example truststore output

    The truststore output is of the form:

    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    nnmi_ldap, Nov 14, 2008, trustedCertEntry,
    Certificate fingerprint (MD5): 29:02:D7:D7:D7:D7:29:02:29:02:29:02:29:02:29:02

    Tip The truststore can include multiple certificates.