How to add a custom certificate into OpsCenter

How to add a custom certificate into OpsCenter

Article: 100038205
Last Published: 2019-06-12
Ratings: 3 8
Product(s): NetBackup

Description

NOTE:  To incorporate this solution for versions 8.1.1 and later, please contact Technical Support (as the password is randomized).

In the interim, it would be simpler to import the certificate into the browser using the browser's tools.

 

 

 

 

 

 

 

 

1.)  Stop the OpsCenter WebServer service.

2.)  Rename or move the keystore file:
<install_path>\symantec\OpsCenter\gui\Security\keystore

3.)  Create a new keystore:
<install_path>\symantec\OpsCenter\server\jre\bin\keytool -genkey -alias opscenter -keyalg RSA -keysize 2048 -keystore <keystore> 
Example: 
C:\Program Files\symantec\OpsCenter\server\jre\bin\keytool -genkey -alias opscenter -keyalg RSA -keysize 2048 -keystore "C:\Program Files\symantec\OpsCenter\gui\Security\keystore"

Note:
-The password is opscenter.
-When prompted for your first and last name use the name of the OpsCenter server, not the name of the person creating the certificate.

4.)  Generate a certificate signing request: 
<install_path>\symantec\OpsCenter\server\jre\bin\keytool.exe -certreq -keysize 2048 -alias opscenter -keystore <keystore>
Example: 
C:\Program Files\symantec\OpsCenter\server\jre\bin\keytool.exe -certreq -keysize 2048 -alias opscenter -keystore "C:\Program Files\symantec\OpsCenter\gui\Security\keystore"

5.)  Using the text of above command go to certificate signing authority website and create and download the certificate and certificate chain file (In PEM format if available.  If PEM format is not available the certificates will need to be converted.  openssl can be used to convert certificate formats.) 

Note:
In this example the certificate and certificate chain files were downloaded and saved in Base-64 encoded X.509 format using the following file names:  certnew.cer and certnew.p7b

6.)  Create an intermediate certificate:
 a. Open the certnew.p7b file with certmgr (Crypto Shell Extentions).
 b. Expand the certificate on the left side.
 c. Right click on the intermediate listing on the right side, select All Tasks - Export
 d. In the Certificate Export Wizard select 'Base-64 encoded X.509 (.CER)' format
 e. Save it as intermediate.cer

7.)  Create a root certificate:
 a. Open the certnew.p7b file with certmgr (Crypto Shell Extentions).
 b. Expand the certificate on the left side.
 c. Right click on the root certificate authority listing on the right side, select All Tasks - Export
 d. In the Certificate Export Wizard select 'Base-64 encoded X.509 (.CER)' format
 e. Save it as root.cer

8.)  Import the root certificate into OpsCenter:
<install_path>\symantec\OpsCenter\server\jre\bin\keytool.exe -import -alias root -file "<path>\root.cer" -keystore <keystore>
Example: 
C:\Program Files\symantec\OpsCenter\server\jre\bin\keytool.exe -import -alias root -file "C:\Program Files\Symantec\OpsCenter\gui\Security\root.cer" -keystore "C:\Program
Files\symantec\OpsCenter\gui\Security\keystore"

Note:
-The password is opscenter. 
-When prompted to trust this certificate, type:  yes

9.)  Import the intermediate certificate:
<install_path>\symantec\OpsCenter\server\jre\bin\keytool.exe -import -alias intermediate -file <path>\intermediate.cer -keystore <keystore>
Example:
C:\Program Files\symantec\OpsCenter\server\jre\bin\keytool.exe -import -alias intermediate -file "C:\Program Files\symantec\OpsCenter\gui\Security\intermediate.cer" -keystore "C:\Program Files\symantec\OpsCenter\gui\Security\keystore"

Note:
-The password is opscenter. 

10.)  Import the certnew.cer certificate:
<install_path>\symantec\OpsCenter\server\jre\bin\keytool.exe -import -alias opscenter -file <path>\certificate.cer -keystore <keystore>
Example:
C:\Program Files\symantec\OpsCenter\server\jre\bin\keytool.exe -import -alias opscenter -file "C:\Program Files\symantec\OpsCenter\gui\Security\certificate.cer" -keystore "C:\Program Files\symantec\OpsCenter\gui\Security\keystore"

Notes:

- The password is opscenter. 

11.)  To verify the keystore now contains the new certificates:
<install_path>\symantec\OpsCenter\server\jre\bin\keytool.exe -list -keystore <keystore>
Example:
C:\Program Files\symantec\OpsCenter\server\jre\bin\keytool.exe -list -keystore "C:\Program Files\symantec\OpsCenter\gui\Security\keystore"

Note:
-The password is opscenter. 

12.)  Start the OpsCenter WebServer service.

13.)  If it is not already present, import the root certificate signing authority certificate into Internet Explorer.

14.)  Close Internet Explorer. 

15.)  Open Internet Explorer.

16.)  Log into OpsCenter and verify that certificate warning message is no longer displayed.

Note: 
-You need to connect to OpsCenter using the same name that you specified in step 3. 
Example:  If the name used in step 3 was opscenterserver.domain.com, you will need to use the address:  https://opscenterserver.domain.com/opscenter in Internet Explorer.  The address:  https://opscenterserver/opscenter will still show the certificate error. 

Was this content helpful?