Skip to main content
Version: 6.10.0

Install CA certificate

Before doing the following steps, ensure that your CA-signed certificate has the correct entries for Common Name and the SAN field extensions as we have provided guidance for earlier.

For MC server steps:

  1. Copy the CA-signed cert (e.g. CA_MC_cert.pem) onto the Portal server and place in /opt/waratek/waratek-mc-<version-build>.
$ sudo cd /opt/waratek/waratek-mc-<version-build>
  1. Shutdown the Portal.
systemctl stop management-console
  1. Backup/move existing keystore
mv ./controller.keystore.p12 ./controller.keystore.p12.original2
  1. Create new PKCS12 keystore with same default name, using your CA signed cert and private key that was created when you created the CSR (certificate signing request)
openssl pkcs12 -export -inkey ./CAcert_key.pem -in ./CAcert.pem -out ./controller.keystore.p12
  1. Change alias for private key entry as it defaults to "1" and we need "controller" as the default value and we don't want to override that in this example
keytool -changealias -alias 1 -destalias controller -keystore ./controller.keystore.p12
  1. Change keystore ownership
chown management-console:management-console ./controller.keystore.p12
  1. Re-start the Portal.
systemctl start management-console

For Waratek Agent steps:

  • Using JDK Keystore

    Import the new CA-signed cert, CA_MC_cert.pem, into the Java keystore and any other application-appropriate keystore(s) using the keytool executable under the version of Java that your application uses.

    # The below example assumes Jrockit as the Java vendor and not HotSpot, J9, etc.
    /jrockit_jdk6/jre/bin/keytool -import -alias WaratekMCCertSigned -trustcacerts -file CA_MC_cert.pem -keystore $JAVA_HOME/jre/lib/security/cacerts

Ideally, you should place the root/CA certificate and any chained/Issuer certificate(s) into the Java keystore and any other application-appropriate keystore(s). Alternatively, you can import the actual end-entity certificate for the MC.

The default password for the cacerts keystore is changeit.

  • Using Waratek Keystore

    Import the new CA-signed cert, CA_MC_cert.pem, into the Waratek custom keystore. The below example assumes that there is no other certificate entry with the alias WaratekMCCertSigned**.**

    # The below example assumes Jrockit as the Java vendor and not HotSpot, J9, etc.
    /jrockit_jdk6/jre/bin/keytool -import -alias WaratekMCCertSigned -file CA_MC_cert.pem -keystore war_keystore.jks

You have successfully reached Milestone Progress Checkpoint #4