After you use the VMware Validated Design Certificate Generation Utility (CertGenVVD) to generate certificates for the SDDC management components, replace the certificate on vSphere Data Protection if it is about to expire or is compromised.

Procedure

  1. Log in to the vSphere Data Protection appliance.
    1. Open an SSH connection to the virtual machine sfo01w01vdp01.sfo01.rainpole.local.
    2. Log in using the following credentials.

      Setting

      Value

      User name

      root

      Password

      vdp_root_password

  2. Stop the vSphere Data Protection Web services by running the following command.
    emwebapp.sh --stop
    Note:

    If you see errors related to database server, ignore them.

  3. Delete the tomcat alias from the Java keystore by running the following command.
    /usr/java/latest/bin/keytool -delete -alias tomcat -storepass changeit
  4. Copy the .keystore file generated by CertGenVVD tool to the /tmp folder on the vSphere Data Protection virtual appliance.

    You can use FileZilla or WinSCP.

  5. Run the following command to insert the new certification chain in to the keystore.
    /usr/java/latest/bin/keytool -importkeystore -srckeystore /tmp/.keystore --destkeystore /root/.keystore -srcstorepass changeit -deststorepass changeit 
    		  
  6. Run the following command and in the command output verify that the certificate entry with the tomcat alias exists in the keystore.
    /usr/java/latest/bin/keytool -list -v -keystore /root/.keystore -storepass changeit -keypass changeit
  7. If the certificate entry exists in the keystore, run the addFingerprint.sh script to update the vSphere Data Protection server thumbprint.
    /usr/local/avamar/bin/addFingerprint.sh
  8. Start the vSphere Data Protection Web services by running the following command.
    emwebapp.sh --start
  9. Run the following command to remove the /tmp/.keystore file.
    rm /tmp/.keystore