Avamar: How to replace Apache Web Server SHA-1 signed SSL certificate

Summary: This article explains how to replace Apache Web Server SHA-1 signed SSL certificate.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

When attempting to connect to the NetWorker Virtual Edition (NVE), Avamar server, or Avamar Extended Retention (AER) node using a web browser, the browser reports a network connectivity error and refuses to connect even though the Apache Web Server on the NVE, Avamar server, or AER node is operating normally.

 

Cause

Support for SSL certificates signed using SHA-1 has been terminated by the major web browser vendors, effective January 01, 2017. Certain default NVE, Avamar, and AER certificates are signed using SHA-1.

 

Resolution

  1. Log in to the Avamar Utility Node or single node server as the admin user, then run the following command to switch to root:

    su -
    Note: The trailing - is important!

  2. Change the directories into the Apache configuration directory:

    cd /etc/apache2

  3. Confirm that the current certificate is signed using SHA-1:

    openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"

    Sample output:

    root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"
        Signature Algorithm: sha1WithRSAEncryption
    Signature Algorithm: sha1WithRSAEncryption
    Note: If the signature algorithm is not reported as SHA-1, do not proceed with this procedure

  4. Back up the existing certificate:

    cp ssl.crt/server.crt ssl.crt/server.crt.bak.`date -I`

  5. Generate a "certificate signing request" from the existing certificate:

    openssl x509 -in ssl.crt/server.crt -signkey ssl.key/server.key -x509toreq -out ssl.csr/server.csr

    Sample output:

    root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -signkey ssl.key/server.key -x509toreq -out ssl.csr/server.csr
Getting request Private Key
Generating certificate request

  6. Check whether the certificate is self-signed or signed by a Certificate Authority (CA signed):

    [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"
    Note: This command should be entered on a single line. All punctuation is important. It is recommended to copy and paste.

    Sample output for a CA-signed certificate:

    root@avamar:/etc/apache2/#: [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"
CA Signed

    Sample output for a self-signed certificate:

    root@avamar:/etc/apache2/#: [ `openssl x509 -in ssl.crt/server.crt -text -noout | grep "Subject: \|Issuer: " | sed 's/.*:\(.*\)/\1/' | uniq | wc -l` -eq "1" ] && echo "Self-signed" || echo "CA Signed"
Self-signed

  7. Generate and install the replacement certificate:

    1. For CA Signed certificates:
      1. Provide a copy of the certificate signing request generated in step 5 to the Certificate Authority and request that they generate a replacement certificate using a strong signature algorithm. The certificate signing request is located at "/etc/apache2/ssl.csr/server.csr"
      2. Place the signed certificate provided by the CA on the Avamar server in "/etc/apache2/ssl.crt/server.crt"
      3. Skip step 7b and continue the procedure at step 8
      Note: If the CA provided one or more updated certificate chain file along with the new certificate, refer to the Appendix A for instructions on how to install these.
    2. For self-signed certificates:
      1. Generate and install a replacement certificate 
        openssl x509 -sha256 -req -signkey ssl.key/server.key -in ssl.csr/server.csr -out ssl.crt/server.crt -days 1825
        Sample output: 
        root@avamar:/etc/apache2/#: openssl x509 -sha256 -req -signkey ssl.key/server.key -in ssl.csr/server.csr -out ssl.crt/server.crt -days 1825
Signature ok
subject=/C=US/ST=CA/L=Irvine/O=Dell EMC/OU=Avamar/CN=avamar.asl.lab.emc.com

  8. Confirm that the new certificate is signed using SHA-256 or another strong signature algorithm:

    openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"

    Sample output:

    root@avamar:/etc/apache2/#: openssl x509 -in ssl.crt/server.crt -text -noout | grep "Signature"
        Signature Algorithm: sha256WithRSAEncryption
    Signature Algorithm: sha256WithRSAEncryption

  9. Restart the Apache Web Server:

    website restart

    Sample output:

    root@avamar:/etc/apache2/#: website restart
===Shutting down website
Shutting down httpd2 (waiting for all children to terminate)                                                                                                                              done
===Starting website
Starting httpd2 (prefork)

  10. Procedure complete

 

Additional Information

Appendix A - Installing updated one or more certificate chain file

  1. Create a copy of the existing certificate chain

    cp /etc/apache2/ssl.crt/ca.crt /etc/apache2/ssl.crt/ca.crt.bak.`date -I`
  2. Install one or more updated certificate chain file
    1. If the CA has provided separate intermediate certificates, combine them into a single chain file: 
      cat cert1 cert2 cert3 cert4 > /etc/apache2/ssl.crt/ca.crt
    2. Otherwise, place the single chain file provided by the CA on the Avamar server in "/etc/apache2/ssl.crt/ca.crt"

 

Affected Products

Avamar

Products

Avamar
Article Properties
Article Number: 000170753
Article Type: Solution
Last Modified: 13 يناير 2026
Version:  5
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.