Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

Ask Me About Webinar: Data Center Assets - Modeling, Cooling, and CFD Simulation
Join our 30-minute expert session on July 10, 2025 (9:00 AM & 5:00 PM CET), to explore Digital Twins, cooling simulations, and IT infrastructure modeling. Learn how to boost resiliency and plan power capacity effectively. Register now to secure your spot!

How to replace the self-signed SSL certificate in EcoStruxure IT Gateway

Troubleshooting

How to troubleshoot and solve issues configuring the EcoStruxure IT Gateway

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • EcoStruxure IT Help Center
  • EcoStruxure IT Help Center Categories
  • Gateway
  • Troubleshooting
  • How to replace the self-signed SSL certificate in EcoStruxure IT Gateway
Options
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close

Related Forums

  • EcoStruxure IT forum

  • APC UPS Data Center & Enterprise Solutions Forum

Previous Next

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite

EcoStruxure IT Support

Submit a support request for additional assistance with EcoStruxure IT software.

Request Support
Back to Troubleshooting
Options
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
1 Like
8453 Views

Link copied. Please paste this link to share this article on your social media post.

Trying to translate this page to your language?
Select your language from the translate dropdown in the upper right. arrow
Translate to: English
  • (Français) French
  • (Deutsche) German
  • (Italiano) Italian
  • (Português) Portuguese
  • (Русский) Russian
  • (Español) Spanish

How to replace the self-signed SSL certificate in EcoStruxure IT Gateway

Picard EcoStruxureIT
‎2022-07-13 05:38 AM

Last Updated: Shuttle Bay rich.pinegar Shuttle Bay ‎2025-06-17 07:30 AM

 

These instructions apply to EcoStruxure IT Gateway 2.0 and newer.

 

For older versions of the Gateway, the installation directory file path is: 

C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf...

 

Contact support for information about Gateway versions older than 1.16.

 

 

IMPORTANT: An imported SSL certificate signed by a trusted certificate authority or a CA certificate imported to the keystore will not persist through an EcoStruxure IT Gateway update.

You must import the certificate again after you update your Gateway software.

 

Windows

 

These command examples are formatted for use in the Windows command prompt.
Using PowerShell requires using single quotes instead of the double quotes displayed below.

 

EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\ directory:

 

dcos.keystore (PrivateKeyEntry)

dcos.truststore (trustedCertEntry)

 

Create a new keystore for the trusted SSL certificate

  1. Stop the EcoStruxureITGateway-x.x.x.x service.
  2. Open File Explorer and navigate to:

    •  C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\ 

  3. Rename the existing dcos.keystore and dcos.truststore 

    • example: dcos.keystoreDefault
  4. Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore
  5. Type the following command:
    • "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048
  6. You will first be prompted to enter a new password for the dcos.keystore you just created.
    • Note: Write down or remember your password, you will need it in a later step. 
  7. You will then be asked to enter the following information:
    •  Note: The following values may need to match values present on the certificate signing authority (CA). Some are required by the CA, and others may be optional depending on the CA configuration.
    • The first value (CN) must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed

      • (CN) Common Name
      • (OU) Organizational Unit
      • (O) Organization
      • (L) City or Locality
      • (ST) State or Province 
      • (C) A two letter country code
  8. Verify that the file dcos.keystore now exists in C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\ 
  9. Edit the application-gateway-prod.yml file; set the key-store-password to the password you created in step 6 above.
    • Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file

 

Create a certificate signing request (CSR) and new SSL certificate signed by a trusted CA

  1. Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore and enter the following:
    • "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -certreq -alias dcos -keystore dcos.keystore -file newGWcert.csr

    • This will create the newGWcert.csr in the same directory
  2. Provide the certificate signing request (CSR) to your certificate signing authority (CA). This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority. You will receive a new signed certificate and the root certificate from your CA.
    • Note: You will need both the new signed certificate and root certificate for later steps.

 

Import the Root certificate and Web Server SSL certificate to the EcoStruxure IT Gateway keystore

  1. Copy the root CA certificate (we will call this rootca.crt) and newGWcert.crt to the server where EcoStruxure IT Gateway is installed.

    • Note: Root and Web Server SSL certificates may end in .crt or .cer
  2. Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore

  3. Import the root CA certificate by typing the following command (this will create a new dcos.truststore and import the root certificate in that trust store):

    • “C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias root -keyalg RSA -file rootca.crt -keystore dcos.truststore

  4. You will first be prompted to enter a new password for the dcos.truststore you just created.
    • Note: Write down or remember your password, you will need it in a later step. 
  5. You will be asked whether or not to trust this certificate.  Type "yes" if you trust the certificate and hit Enter.
  6. Verify that the file dcos.truststore now exists in C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\ 
  7. Edit the application-gateway-prod.yml file; set the trust-store-password to the password you created in step 4 above.
    • Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file
  8. Import the root CA certificate into the dcos.keystore by typing the following command:
    • "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias root -file rootca.crt -keystore dcos.keystore
  9. Import the Web Server SSL certificate to the dcos.keystore by typing the following command:
    •  "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias dcos -file newGWcert.crt -keystore dcos.keystore
  10. Make sure the root CA certificate is imported to the internet browser on all the computers/browsers that will be used to access the Gateway user interface.
  11. Start the EcoStruxureITGateway-x.x.x.x service.
    • EcoStruxure IT Gateway will now use the new signed certificate. No SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.

       

 

Linux

 

EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore directory:

 

dcos.keystore (PrivateKeyEntry)

dcos.truststore (trustedCertEntry)

 

Note: All commands must be run as sudo

 

Create a new keystore for the trusted SSL certificate

  1. SSH into the Linux server and stop the EcoStruxureITGateway-x.x.x.x service.
    • sudo systemctl stop EcoStruxureITGateway-x.x.x.x.service
  2.  Change directory to the following:
    •  /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore 
  3. Rename the existing dcos.keystore and dcos.truststore 
    • example: dcos.keystoreDefault
  4. From the same directory type the following command:
    • sudo '/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048
  5. You will first be prompted to enter a new password for the dcos.keystore you just created.
    • Note: Write down or remember your password, you will need it in a later step. 
  6. You will then be asked to enter the following information:
    • Note: The following values may need to match values present on the certificate signing authority (CA). Some are required by the CA, and others may be optional depending on the CA configuration.
    • The first value (CN) must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed 
      • (CN) Common Name
      • (OU) Organizational Unit
      • (O) Organization
      • (L) City or Locality
      • (ST) State or Province 
      • (C) A two letter country code
  7. Verify that the file dcos.keystore now exists in /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore/
  8. Edit the application-gateway-prod.yml file; set the key-store-password to the password you created in step 6 above.
    • Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file

 

Create a certificate signing request (CSR) and new SSL certificate signed by a trusted CA

  1. SSH into the Linux server and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore and enter the following:
    • sudo '/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -certreq -alias dcos -keystore dcos.keystore -file newGWcert.csr
    • This will create the newGWcert.csr in the same directory
  2. Provide the certificate signing request (CSR) to your certificate signing authority (CA). This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority. You will receive a new signed certificate and the root certificate from your CA.
    • Note: You will need both the new signed certificate and root certificate for later steps.

 

Import the Root certificate and Web Server SSL certificate to the EcoStruxure IT Gateway keystore

  1. Copy the root CA certificate (we will call this rootca.crt) and newGWcert.crt to the server where EcoStruxure IT Gateway is installed.
    • Note: Root and Web Server SSL certificates may end in .crt or .cer
  2. SSH into the Linux server and change directory to /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore
  3. Import the root CA certificate by typing the following command (this will create a new dcos.truststore and import the root certificate in that trust store):
    • sudo '/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias root -keyalg RSA -file rootca.crt -keystore dcos.truststore
  4. You will first be prompted to enter a new password for the dcos.truststore you just created.
    • Note: Write down or remember your password, you will need it in a later step. 
  5. You will be asked whether or not to trust this certificate.  Type "yes" if you trust the certificate and hit Enter.
  6. Verify that the file dcos.truststore now exists in /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore
  7. Edit the application-gateway-prod.yml file; set the trust-store-password to the password you created in step 4 above.
    • Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file
  8. Import the root CA certificate into the dcos.keystore by typing the following command:
    • sudo ‘/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool’ -importCert -trustcacerts -alias root -file rootca.crt -keystore dcos.keystore
  9. Import the Web Server SSL certificate to the dcos.keystore by typing the following command:
    •  sudo ‘/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool’ -importCert -trustcacerts -alias dcos -file newGWcert.crt -keystore dcos.keystore
  10. Make sure the root CA certificate is imported to the internet browser on all the computers/browsers that will be used to access the Gateway user interface.
  11. Start the EcoStruxureITGateway-x.x.x.x service.
    • sudo systemctl start  EcoStruxureITGateway-x.x.x.x.service
    • EcoStruxure IT Gateway will now use the new signed certificate. No SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.
Was this article helpful? Yes No
0% helpful (0/2)

Link copied. Please paste this link to share this article on your social media post.

Comments
JMollica
JMollica Cadet
Cadet
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
‎2024-04-17 06:26 AM

Hello,

I would recommend under the Create a new keystore for the trusted SSL certificate for Step 4 to add argument '-validity 365' or any number, to set the number of days the certificate will be valid for, otherwise the default will be 3 months' time.

ex: 

'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048 -validity 365

 

HWeser
HWeser
Cadet
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
‎2025-05-23 06:43 AM

Hello,

I'm struggeliung now with this instruction to setup a EcoStruxure IT Gateway for almost a week. But got is solved. Could you please review on the points below and advise?

 

  1. The instruction always is refering to 2 keystore files (the "dcos.keystore" and "dcos.truststore"). No explaination why the RootCA should be loaded into a file "root.truststore". If you follow this instruction, the dialog ask you to create a container password. To allow the application to access the container, its password and filename need to get added to the "application-installer.yaml" file, same as the entries for the other 2 containers.
  2. The instruction does not advise how to install intermediate certificates if your CA requires to do so. If you skip this step, you cant add the server certificate itself getting an error in "keytool error: java.lang.Exception: Failed to establish chain from reply".

My findings in short:

 

  1. verify Java keystore content
  2. stop Gateway service
  3. stop Gateway database service
  4. delete the dcos.keystore AND the dcos.truststore
  5. generate a new dcos.keystore and provide the requested information as necessary. The values entered will be issued for the CSR with next step:
    1. CN - FQDN of the server
    2. OU - e.g. company name
    3. O - e.g. department name
    4. S - state
    5. C - country
    6. confirm the summary with "yes" or "no" to walk thru steps again.
  6. Create CSR file and handover to your CA.
  7. Your CA may provide you ideally with indidividual CRT files. If you receive PEM - that file can be opened with a plain texteditor and each section starting with "----BEGIN CERTIFICATE----" and ending with "----END CERTIFICATE----" can be saved in separate files. Usually the first section is the server cert, the second section an Intermediate and the last section the root certificate. Then rename files extension into CRT and check the content.
  8. Upload the certificates provided by your CA to server.
  9. Load the RootCA.CRT to your dcos.truststore and use alias "root". Because you deleted the dcos.truststore in step 3 you will be prompted to set a password. Check the password value in file "application-installer.yaml" and use same there.
  10. If your CA requires an intermediate certificate to install, load the Intermediate.CRT to your dcos.truststore and use alias "intermediate". If your CA didn't provide, goto next step.
  11. Load the Server.CRT into your dcos.keystore and use alias "dcos". (Here I couldn't get further with the following error message:

keytool error: java.lang.Exception: Failed to establish chain from reply

 

Solution to establish the chain:

  1. Load the provided RootCA.crt into the "dcos.keystore" and use alias "root".
  2. Load the provided Intermediate.crt into the "dcos.keystore" and use alias "intermediate".
  3. Load the provided Server.crt into the "dcos.keystore" and use alias "dcos". You shouldn't get an error anymore.
  4. Verify the content of "dcos.keystore". There should be now 3 entries separated with double lines of stars "*********" :
    1. PrivateKeyEntry with key and 3 certificates ending section with separators ********
    2. TrustedCertEntry "root" ending section with separators *********
    3. TrustedCertEntry "intermediate" ending section with separators *********
  5. Now you need to remove the TrustedCertEntries 2+3 from keystore by using command "keytool.exe -delete -alias root -keystore dcos.keystore" and "keytool.exe -delete -alias intermediate -keystore dcos.keystore".
    (Note: This step was required otherwise the webserver is still seen with a certificate not verified issuer.)
  6. One more time verify the content of "dcos.keystore". There should now only 1 PrivateKeyEntry with Key and 3 subrecords with certificates.
  7. start Gateway database service
  8. start Gateway service

 

Many thanks and happy about a response

wavecomas
wavecomas
Cadet
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
‎2025-06-21 01:31 AM

 

All this is useless.

After gateway update our certs are replaced with self signed certs agan!!!!!

jchiglo
jchiglo
Cadet
  • Mark as Read
  • Mark as New
  • Bookmark
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
‎2025-06-26 09:02 AM

Our development team notices the same exact problem as what wavecoma's comment says. The linux procedure needs to be reviewed to reflect any new changes to the directory when there's a new gateway version. 

Didn't find what you are looking for? Ask our Experts
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

This is a heading

With achievable small steps, users progress and continually feel satisfaction in task accomplishment.

Usetiful Onboarding Checklist remembers the progress of every user, allowing them to take bite-sized journeys and continue where they left.

of