How to replace the self-signed SSL certificate in EcoStruxure IT Gateway

EcoStruxureIT · ‎2022-07-13

These instructions apply to EcoStruxure IT Gateway 2.0 and newer.

For older versions of the Gateway, the installation directory file path is:

C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\gateway\conf...

Contact support for information about Gateway versions older than 1.16.

IMPORTANT: An imported SSL certificate signed by a trusted certificate authority or a CA certificate imported to the keystore will not persist through an EcoStruxure IT Gateway update.

You must import the certificate again after you update your Gateway software.

Windows

These command examples are formatted for use in the Windows command prompt.
Using PowerShell requires using single quotes instead of the double quotes displayed below.

EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\ directory:

dcos.keystore (PrivateKeyEntry)

dcos.truststore (trustedCertEntry)

Create a new keystore for the trusted SSL certificate

Stop the EcoStruxureITGateway-x.x.x.x service.
Open File Explorer and navigate to:
- C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\
Rename the existing dcos.keystore and dcos.truststore
- example: dcos.keystoreDefault
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore
Type the following command:
- "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048
You will first be prompted to enter a new password for the dcos.keystore you just created.
- Note: Write down or remember your password, you will need it in a later step.
You will then be asked to enter the following information:
- Note: The following values may need to match values present on the certificate signing authority (CA). Some are required by the CA, and others may be optional depending on the CA configuration.
- The first value (CN) must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed
  - (CN) Common Name
  - (OU) Organizational Unit
  - (O) Organization
  - (L) City or Locality
  - (ST) State or Province
  - (C) A two letter country code
Verify that the file dcos.keystore now exists in C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\
Edit the application-gateway-prod.yml file; set the key-store-password to the password you created in step 6 above.
- Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file

Create a certificate signing request (CSR) and new SSL certificate signed by a trusted CA

Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore and enter the following:
- "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -certreq -alias dcos -keystore dcos.keystore -file newGWcert.csr
- This will create the newGWcert.csr in the same directory
Provide the certificate signing request (CSR) to your certificate signing authority (CA). This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority. You will receive a new signed certificate and the root certificate from your CA.
- Note: You will need both the new signed certificate and root certificate for later steps.

Import the Root certificate and Web Server SSL certificate to the EcoStruxure IT Gateway keystore

Copy the root CA certificate (we will call this rootca.crt) and newGWcert.crt to the server where EcoStruxure IT Gateway is installed.
- Note: Root and Web Server SSL certificates may end in .crt or .cer
Open a command prompt and change the directory to C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore
Import the root CA certificate by typing the following command (this will create a new dcos.truststore and import the root certificate in that trust store):
- “C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias root -keyalg RSA -file rootca.crt -keystore dcos.truststore
You will first be prompted to enter a new password for the dcos.truststore you just created.
- Note: Write down or remember your password, you will need it in a later step.
You will be asked whether or not to trust this certificate. Type "yes" if you trust the certificate and hit Enter.
Verify that the file dcos.truststore now exists in C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\conf\keystore\
Edit the application-gateway-prod.yml file; set the trust-store-password to the password you created in step 4 above.
- Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file
Import the root CA certificate into the dcos.keystore by typing the following command:
- "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias root -file rootca.crt -keystore dcos.keystore
Import the Web Server SSL certificate to the dcos.keystore by typing the following command:
- "C:\Program Files\EcoStruxureITGateway\<current Gateway install version>\jre\bin\keytool.exe" -importCert -trustcacerts -alias dcos -file newGWcert.crt -keystore dcos.keystore
Make sure the root CA certificate is imported to the internet browser on all the computers/browsers that will be used to access the Gateway user interface.
Start the EcoStruxureITGateway-x.x.x.x service.
- EcoStruxure IT Gateway will now use the new signed certificate. No SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.

Linux

EcoStruxure IT Gateway stores the user interface SSL certificates in two Java keystore files in the /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore directory:

dcos.keystore (PrivateKeyEntry)

dcos.truststore (trustedCertEntry)

Note: All commands must be run as sudo

Create a new keystore for the trusted SSL certificate

SSH into the Linux server and stop the EcoStruxureITGateway-x.x.x.x service.
- sudo systemctl stop EcoStruxureITGateway-x.x.x.x.service
Change directory to the following:

/opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore

Rename the existing dcos.keystore and dcos.truststore

example: dcos.keystoreDefault

From the same directory type the following command:

sudo '/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048

You will first be prompted to enter a new password for the dcos.keystore you just created.

Note: Write down or remember your password, you will need it in a later step.

You will then be asked to enter the following information:

Note: The following values may need to match values present on the certificate signing authority (CA). Some are required by the CA, and others may be optional depending on the CA configuration.
The first value (CN) must match the hostname or FQDN (Fully Qualified Domain Name) of the server where EcoStruxure IT Gateway is installed
- (CN) Common Name
- (OU) Organizational Unit
- (O) Organization
- (L) City or Locality
- (ST) State or Province
- (C) A two letter country code

Verify that the file dcos.keystore now exists in /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore/
Edit the application-gateway-prod.yml file; set the key-store-password to the password you created in step 6 above.

Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file

Create a certificate signing request (CSR) and new SSL certificate signed by a trusted CA

SSH into the Linux server and change the directory to /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore and enter the following:

sudo '/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -certreq -alias dcos -keystore dcos.keystore -file newGWcert.csr
This will create the newGWcert.csr in the same directory

Provide the certificate signing request (CSR) to your certificate signing authority (CA). This could be a CA run by your company, or it might need to be sent to a third-party Certificate Authority. You will receive a new signed certificate and the root certificate from your CA.

Note: You will need both the new signed certificate and root certificate for later steps.

Import the Root certificate and Web Server SSL certificate to the EcoStruxure IT Gateway keystore

Copy the root CA certificate (we will call this rootca.crt) and newGWcert.crt to the server where EcoStruxure IT Gateway is installed.

Note: Root and Web Server SSL certificates may end in .crt or .cer

SSH into the Linux server and change directory to /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore
Import the root CA certificate by typing the following command (this will create a new dcos.truststore and import the root certificate in that trust store):

sudo '/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -importCert -trustcacerts -alias root -keyalg RSA -file rootca.crt -keystore dcos.truststore

You will first be prompted to enter a new password for the dcos.truststore you just created.

Note: Write down or remember your password, you will need it in a later step.

You will be asked whether or not to trust this certificate. Type "yes" if you trust the certificate and hit Enter.
Verify that the file dcos.truststore now exists in /opt/EcoStruxureITGateway/<current Gateway install version>/conf/keystore
Edit the application-gateway-prod.yml file; set the trust-store-password to the password you created in step 4 above.

Note: If your password uses any special characters you will want to use single quotes in the application-gateway-prod.yml file

Import the root CA certificate into the dcos.keystore by typing the following command:

sudo ‘/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool’ -importCert -trustcacerts -alias root -file rootca.crt -keystore dcos.keystore

Import the Web Server SSL certificate to the dcos.keystore by typing the following command:

sudo ‘/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool’ -importCert -trustcacerts -alias dcos -file newGWcert.crt -keystore dcos.keystore

Make sure the root CA certificate is imported to the internet browser on all the computers/browsers that will be used to access the Gateway user interface.
Start the EcoStruxureITGateway-x.x.x.x service.
- sudo systemctl start EcoStruxureITGateway-x.x.x.x.service
- EcoStruxure IT Gateway will now use the new signed certificate. No SSL Certificate security warning will be displayed by the browser when the Gateway user interface is launched.

JMollica · ‎2024-04-17

Hello,

I would recommend under the Create a new keystore for the trusted SSL certificate for Step 4 to add argument '-validity 365' or any number, to set the number of days the certificate will be valid for, otherwise the default will be 3 months' time.

ex:
'/opt/EcoStruxureITGateway/<current Gateway install version>/jre/bin/keytool' -genkey -alias dcos -keyalg RSA -keystore dcos.keystore -keysize 2048 -validity 365

HWeser · ‎2025-05-23

Hello,

I'm struggeliung now with this instruction to setup a EcoStruxure IT Gateway for almost a week. But got is solved. Could you please review on the points below and advise?

The instruction always is refering to 2 keystore files (the "dcos.keystore" and "dcos.truststore"). No explaination why the RootCA should be loaded into a file "root.truststore". If you follow this instruction, the dialog ask you to create a container password. To allow the application to access the container, its password and filename need to get added to the "application-installer.yaml" file, same as the entries for the other 2 containers.
The instruction does not advise how to install intermediate certificates if your CA requires to do so. If you skip this step, you cant add the server certificate itself getting an error in "keytool error: java.lang.Exception: Failed to establish chain from reply".

My findings in short:

verify Java keystore content
stop Gateway service
stop Gateway database service
delete the dcos.keystore AND the dcos.truststore
generate a new dcos.keystore and provide the requested information as necessary. The values entered will be issued for the CSR with next step:
1. CN - FQDN of the server
2. OU - e.g. company name
3. O - e.g. department name
4. S - state
5. C - country
6. confirm the summary with "yes" or "no" to walk thru steps again.
Create CSR file and handover to your CA.
Your CA may provide you ideally with indidividual CRT files. If you receive PEM - that file can be opened with a plain texteditor and each section starting with "----BEGIN CERTIFICATE----" and ending with "----END CERTIFICATE----" can be saved in separate files. Usually the first section is the server cert, the second section an Intermediate and the last section the root certificate. Then rename files extension into CRT and check the content.
Upload the certificates provided by your CA to server.
Load the RootCA.CRT to your dcos.truststore and use alias "root". Because you deleted the dcos.truststore in step 3 you will be prompted to set a password. Check the password value in file "application-installer.yaml" and use same there.
If your CA requires an intermediate certificate to install, load the Intermediate.CRT to your dcos.truststore and use alias "intermediate". If your CA didn't provide, goto next step.
Load the Server.CRT into your dcos.keystore and use alias "dcos". (Here I couldn't get further with the following error message:

keytool error: java.lang.Exception: Failed to establish chain from reply

Solution to establish the chain:

Load the provided RootCA.crt into the "dcos.keystore" and use alias "root".
Load the provided Intermediate.crt into the "dcos.keystore" and use alias "intermediate".
Load the provided Server.crt into the "dcos.keystore" and use alias "dcos". You shouldn't get an error anymore.
Verify the content of "dcos.keystore". There should be now 3 entries separated with double lines of stars "*********" :
1. PrivateKeyEntry with key and 3 certificates ending section with separators ********
2. TrustedCertEntry "root" ending section with separators *********
3. TrustedCertEntry "intermediate" ending section with separators *********
Now you need to remove the TrustedCertEntries 2+3 from keystore by using command "keytool.exe -delete -alias root -keystore dcos.keystore" and "keytool.exe -delete -alias intermediate -keystore dcos.keystore".
(Note: This step was required otherwise the webserver is still seen with a certificate not verified issuer.)
One more time verify the content of "dcos.keystore". There should now only 1 PrivateKeyEntry with Key and 3 subrecords with certificates.
start Gateway database service
start Gateway service

Many thanks and happy about a response

wavecomas · ‎2025-06-21

All this is useless.

After gateway update our certs are replaced with self signed certs agan!!!!!

jchiglo · ‎2025-06-26

Our development team notices the same exact problem as what wavecoma's comment says. The linux procedure needs to be reviewed to reflect any new changes to the directory when there's a new gateway version.

IMDEASoftware · ‎2025-09-02

The certificate generated will not be trusted without a "Subject Alternate Name". For that you need to add one when generating the CSR (change fqdn.hostname and put your gateway IP instead of 10.1.2.3):

/opt/EcoStruxureITGateway/2.0.1.3/jre/bin/keytool -certreq -alias dcos -ext san=dns:fqdn.hostname,ip:10.1.2.3 -keystore dcos.keystore -file newGWcert.csr

wavecomas · ‎2025-12-02

How many years we need to wait our time for repeating pocedures after each gateway upgrade when all previous certs are gone ?? SHAME!!