How to replace the self-signed SSL certificate in EcoStruxure IT Gateway versions 1.16 and newer

EcoStruxureIT · ‎2022-07-13

Contact support for information about Gateway versions older than 1.16.

Note: An imported SSL certificate signed by a trusted certificate authority or a CA certificate imported to the keystore will not persist through an EcoStruxure IT Gateway update.

You must import the certificate again after you update your Gateway software.

Windows

These command examples are formatted for use in the Windows command prompt.
Using PowerShell requires using single quotes instead of the double quotes displayed below.

EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore\ directory:

dcos.keystore (PrivateKeyEntry)

dcos.truststore (trustedCertEntry)

Verify the contents of the Java keystores

Open C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\application-installer.yaml
In the server: > ssl: section, find the line key-store-password and remember the password for the keystores.
Open a command prompt window and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe” -list -v -keystore dcos.keystore
Enter the password you remembered in step 2.
Verify the keystore contents are displayed without error.
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -list -v -keystore dcos.truststore
Enter the password you remember from step 2 when prompted.
Verify the keystore contents are displayed without error.

Create a new keystore for the trusted SSL certificate

Stop the EcoStruxureITGateway-x.x.x.x service.
Delete the existing keystore file, C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore\dcos.keystore.
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048
The other values might need to match the values present on the CA. Some values are required by the CA, and others might be optional. This depends on the CA configuration.
Use the .csr file to create a new certificate signed by the Trusted CA. This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority.
Use the same password you remembered in step 2 of the ‘Verify the contents of the Java keystores” section.
Verify that the file dcos.keystore now exists in the keystore folder.
Start the EcoStruxureITGateway-x.x.x.x service.

Create a certificate signing request and a new SSL certificate signed by a trusted CA

Type the command:
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -certreq -alias dcos -keystore dcos.keystore -file newSxOnGW.csr
Enter the required values when prompted. The first value must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed.

Import the Root CA and Web Server SSL certificates to the EcoStruxure IT Gateway keystore

Copy rootca.crt and newSxOnGW.crt to the machine where EcoStruxure IT Gateway is installed.
Stop the EcoStruxureITGateway-x.x.x.x service.
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf\keystore
Import the root CA certificate. Type the command
“C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias root -file rootca.crt -keystore root.truststore
Import the Web Server SSL certificate. Type the command
"C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias dcos -file newSxOnGW.crt -keystore dcos.keystore
Make sure the root CA certificate is imported to the internet browser on all the computers that will be used to access the Gateway user interface.
Start the EcoStruxureITGateway-x.x.x.x service.

EcoStruxure IT Gateway will now use the new signed certificate, and no SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.

C:\Program Files\EcoStruxureITGateway\<version>\gateway\conf\keystore\dcos.keystore (PrivateKeyEntry)

C:\Program Files\EcoStruxureITGateway\<version>\gateway\conf\keystore\dcos.truststore (trustedCertEntry)

Linux

EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore directory:

dcos.keystore (PrivateKeyEntry)

dcos.truststore (trustedCertEntry)

Verify the contents of the Java keystores

Open /opt/EcoStruxureITGateway</current Gateway install version>/gateway/conf/application-installer.yaml
In the server: > ssl: section, find the line key-store-password and remember the password for the keystores.
Open a command prompt window and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool.exe' -list -v -keystore dcos.keystore
Enter the password you remembered in step 2.
Verify the keystore contents are displayed without error.
Type the command
'opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -list -v -keystore dcos.truststore
Enter the password you remember from step 2 when prompted.
Verify the keystore contents are displayed without error.

Create a new keystore for the trusted SSL certificate

Stop the EcoStruxureITGateway-x.x.x.x service.
Delete the existing keystore file, /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore/dcos.keystore.
Open a command prompt and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048
The other values might need to match the values present on the CA. Some values are required by the CA, and others might be optional. This depends on the CA configuration.
Use the .csr file to create a new certificate signed by the Trusted CA. This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority.
Use the same password you remembered in step 2 of the ‘Verify the contents of the Java keystores” section.
Verify that the file dcos.keystore now exists in the keystore folder.
Start the EcoStruxureITGateway-x.x.x.x service.

Create a certificate signing request and a new SSL certificate signed by a trusted CA

Type the command:
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -certreq -alias dcos -keystore dcos.keystore -file newSxOnGW.csr
Enter the required values when prompted. The first value must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed.

Import the Root CA and Web Server SSL certificates to the EcoStruxure IT Gateway keystore

Copy rootca.crt and newSxOnGW.crt to the machine where EcoStruxure IT Gateway is installed.
Stop the EcoStruxureITGateway-x.x.x.x service.
Open a command prompt and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/gateway/conf/keystore
Import the root CA certificate. Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias root -file rootca.crt -keystore root.truststore
Import the Web Server SSL certificate. Type the command
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias dcos -file newSxOnGW.crt -keystore dcos.keystore
Make sure the root CA certificate is imported to the internet browser on all the computers that will be used to access the Gateway user interface.
Start the EcoStruxureITGateway-x.x.x.x service.

EcoStruxure IT Gateway will now use the new signed certificate, and no SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.

/opt/EcoStruxureITGateway/<version>/gateway/conf/keystore/dcos.keystore (PrivateKeyEntry)

/opt/EcoStruxureITGateway/<version>\gateway/conf/keystore/dcos.truststore (trustedCertEntry)

JMollica · ‎2024-04-17

Hello,

I would recommend under the Create a new keystore for the trusted SSL certificate for Step 4 to add argument '-validity 365' or any number, to set the number of days the certificate will be valid for, otherwise the default will be 3 months' time.

ex:
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048 -validity 365

How to replace the self-signed SSL certificate in EcoStruxure IT Gateway versions 1.16 and newer

Related Forums

EcoStruxure IT forum

APC UPS Data Center & Enterprise Solutions Forum