Skip to main content
Version: 3.7.x.x LTS

Replace HTTPs certificate

The HTTPs certificate used by nevisAdmin 3 is self-signed and not trusted by browsers. Thus, there will be a certificate warning when you access the nevisAdmin GUI. This section explains how to replace the certificate.

info
  • In the following steps, we assume that the keytool can be found via PATH. If this is not the case, you can use /opt/adnjdk18/bin/keytool instead.
  • This is a non-trivial task. The exact steps depend on your requirements. Not all sections may be applicable.

  1. Stop nevisAdmin.

  2. Make a backup of the nevisAdmin instance directory.

  3. Delete the existing certificate from the container keystore:

    keytool -delete -keystore
    /var/opt/adnglassfish/nevisadmin/nevisadmin/config/keystore.jks -alias s1as

    Enter the keystore password to delete the certificate. The default password is: "changeit". See the following section: Change Keystore Password, on how to change the password later on.

  4. Generate a new private key using the fully qualified hostname of nevisAdmin (as visible to the browser):

    keytool -genkey -keystore
    /var/opt/adnglassfish/nevisadmin/nevisadmin/config/keystore.jks -alias s1as -
    keyalg rsa -validity 9999 -dname "CN=<hostname>, O=<your company>, C=CH" -ext san=dns:<hostname>

    Use the same password for the keystore and the alias.

  5. Now that you have created a new key pair, you can export a certificate request:

    keytool -keystore
    /var/opt/adnglassfish/nevisadmin/nevisadmin/config/keystore.jks -certreq -alias s1as -
    keyalg rsa -ext san=dns:<hostname> -file /tmp/request.csr

  6. Sign the certificate request with your CA. In this example, we assume your CA is managed by nevisKeybox:

    neviskeybox sign -ca myCA -file /tmp/request.csr

  7. Add the CA certificate to the container keystore:

    keytool -import -keystore
    /var/opt/adnglassfish/nevisadmin/nevisadmin/config/keystore.jks -file
    /var/opt/neviskeybox/default/myCA/ca_cert.pem -alias myCA

  8. Import the new HTTPs certificate into the glassfish keystore:

    keytool -import -keystore
    /var/opt/adnglassfish/nevisadmin/nevisadmin/config/keystore.jks -file /tmp/new_cert.pem
    -alias s1as