How to renew an expired SSL certificate for Admin Console or UMP

Document ID : KB000121612
Last Modified Date : 28/11/2018
Show Technical Document Details
Introduction:
After implementing HTTPS in Admin Console or UMP by following the documentation here, an SSL certificate will eventually expire and need to be renewed.  

This article describes two methods for renewing an existing SSL certificate associated with a wasp probe (Admin Console or UMP).

 
Background:
It is important to be familiar with using the Java keytool utility to generate certificate requests and import certificates.  This process is documented here:

https://docops.ca.com/ca-unified-infrastructure-management/9-0-2/en/installing/optional-post-installation-tasks/configure-https-in-admin-console-or-ump

During this process, when initially setting up SSL for UMP or Admin Console, a callback is run on the wasp probe called ssl_reinitialize_keystore to set the initial password for the keystore. It is critical that you remember or record this password for future certificate renewals.  If you do not remember it, you will need to start the entire process from scratch, as if it was the first time you are implementing a new certificate.
Instructions:
If you remember/recorded the keystore password:

If you remember/recorded the keystore password from the initial setup then renewing the certificate is a simple process.

First, you should have received an updated .CER or .CRT file from your Certificate Authority in response to your renewal request.  It is assumed that you issued a request for a renewal of the existing certificate which you've been using for UMP/Admin Console.

Place this file into the appropriate location under (INSTALL LOCATION)/probes/service/wasp/conf/ on the UMP/Admin Console server(s).

Next, you will use the Java Keytool to replace the certificate:
 
<UMP or UIM server_installation>/jre/<jre_version>/bin/keytool  -import  -trustcacerts  -alias wasp  -file <your_domain>.crt  -keystore <UMP or UIM Server_installation>Nimsoft/probes/service/wasp/conf/wasp.keystore

You will be prompted to overwrite the existing alias - say "yes" to the prompt.

You will need to provide the keystore password at this point.

Once this is done you can simply restart the wasp probe and the new certificate will be in place.

If you do not remember/did not record the initial keystore password:

If you did not record or remember the password from the initial certificate creation, the only option is to proceed as if you are generating a brand new request.  That is to say, you must reinitialize the keystore, generate a new Certificate Signing Request, request a new certificate, and install it based on the documentation linked above.