Overview
To replace the self-signed SSL certificate used by the Peer Management Center Web Service, you need to complete three tasks:
-
Obtain your own certificate (with private keys) from an internal or public Certificate Authority.
-
Create a Java-specific keystore containing the PFX-based certificate bundle.
-
Replace the web service's default keystore with the new custom one.
See the Step-by-step guide section for detailed instructions.
This applies to PeerGFS v5.1 and earlier. If you are using a later version of PeerGFS, see Replace TLS certificates.
Step-by-step guide
Task 1. Obtain your own certificate.
The certificate and keys should be bundled in a PFX file. However, a description of the process for obtaining a certificate is outside the scope of this document.
Task 2. Create a Java keystore with your own certificates.
You will be using Java keytool application included with your Peer Management Center installation.
-
View the contents of the PFX file by running the following command:
<PMC_INSTALLATION_FOLDER>\jre\bin\keytool.exe -list -v -keystore <PFX PATH> -storetype pkcs12where:
<PMC_INSTALLATION_FOLDER> represents the root installation directory of the Peer Management Center (for example, C:\Program Files\Peer Software\Peer Management Center\).
<PFX PATH> represents the path to your PFX file.
Note: If the PFX file is configured with a password, the keytool application will prompt you to enter it. -
Take note of the Alias name in the output of Step 1.
-
Create a new Java-specific keystore with your PFX file by running the following command:
<PMC_INSTALLATION_FOLDER>\jre\bin\keytool.exe -importkeystore -deststorepass <DEST STORE PW> -destkeypass <DEST KEY PW> -destkeystore <KEYSTORE PATH> -srckeystore <PFX PATH> -srcstoretype PKCS12 -srcalias <SRC CERT ALIAS> -destalias pmcwebwhere:
<PMC_INSTALLATION_FOLDER> is the root installation directory of the Peer Management Center (for example, C:\Program Files\Peer Software\Peer Management Center\).
<DEST STORE PW> is the password for the output Java-specific keystore.
<DEST KEY PW> is the encryption key used by the output Java-specific keystore.
<KEYSTORE PATH> is the path to the output Java-specific keystore. We recommend naming the keystore file pmcweb.ks or something similar, but the default name web.ks should not be used because the installer will overwrite it.
<PFX PATH> is the path to your PFX file.
<SRC CERT ALIAS> is the certificate alias from Step 2.
Note: If the PFX file is configured with a password, the keytool application will prompt you to enter it. -
Copy the resulting keystore file to <PMC_INSTALLATION_FOLDER>\Hub\keys in preparation for the next task.
Task 3. Replace the web service's default keystore.
-
Navigate to the following folder: <PMC INSTALLATION_FOLDER>\Hub\web-configuration
-
Open the config.ini file in a text editor.
-
In the config.ini file, find:
org.eclipse.equinox.http.jetty.ssl.keystore=This should point to the name of the Java-specific keystore file from Step 3 in the preceding task. We recommend using the name pmcweb.ks. The default name web.ks should not be used because the installer will overwrite it.
-
Set it equal to:
keys/pmcweb.ks
-
In this config.ini file, find:
org.eclipse.equinox.http.jetty.ssl.keypassword= org.eclipse.equinox.http.jetty.ssl.password=
-
Set both lines equal to the <DEST KEY PW> from Step 3 in Task 1.
-
Restart the Peer Management Center Web Service.
-
Test accessing the web interface via HTTPS.
Related articles
Page: Can PeerSync send email via server requiring SSL? Page: Does PeerGFS support HSTS for the PMC web interface? Page: HSTS blocks access to the PMC's web interface Page: Modify web server settings after installation Page: Replace the default web service SSL certificate Page: Replace TLS certificates