NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Linux)

These instructions describe how to replace the default NetWorker self-signed certificate with a CA-signed certificate for the NetWorker authentication (AUTHC) and NetWorker Web UI (NWUI) services on the NetWorker server.

The file names do not have a naming requirement, but the extensions should be referenced for the type of file. The command examples shown are for Linux. For Windows instructions, see:
NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Windows)
 

Certificate files involved:

<server>.csr: NetWorker server certificate signing request

<server>.key: NetWorker server private key

<server>.crt: NetWorker server CA-signed certificate

<CA>.crt: CA root certificate

<ICA>.crt: CA intermediate certificate (optional if it is available)

Keystores involved:

authc.keystore

authc.truststore

cacerts

nwui.keystore

Generate a private key and certificate signing request (CSR) file to provide to your CA.

• Use the OpenSSL command-line utility to create the NetWorker server private key file (<server>.key) and CSR file (<server>.csr).

  # openssl req -new -newkey rsa:4096 -nodes -out /tmp/<server>.csr -keyout /tmp/<server>.key

• Send the CSR file (<server>.csr) to the CA to generate the CA-signed certificate file (<server>.crt). The CA should provide the CA-signed certificate file (<server>.crt), the root certificate (<CA>.crt), and any intermediate CA certificates (<ICA>.crt).

Preverification steps:

Ensure that you have the following:

• server.crt file, which contains a PEM certificate whose first line is -----BEGIN CERTIFICATE----- and the last line is -----END CERTIFICATE-----
• The key file starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
• Confirm that all certificates are valid PEM format files by running openssl x509 -in <cert> -text -noout.
• Verify the above output to be sure that it is the right certificate.
• Check the output of the following two commands:

  openssl rsa -pubout -in server.key

  openssl x509 -pubkey -noout -in server.crt

  The output of these two commands must match.

In order to facilitate the steps and commands described below, we create the following variables:

java_bin=/opt/nre/java/latest/bin
nsr=<path to /nsr partition> # In case of NVE for instance this is /data01/nsr
cert=<path to server crt file>
key=<path to server key file>
RCAcert=<path to Root CA file>
ICAcert=<path to intermediate CA crt file>

If there is more than one intermediate certificate, create variables for each certificate: ICA1, ICA2, and so on

You must know the correct NetWorker keystore passwords. These passwords are set during AUTHC and NWUI configuration. If you are not sure, see:

• How to retrieve the NetWorker authentication and NWUI service's keystore password

You can also use your keystore pass variables (option 1) or store them in a file to keep the password hidden (option 2):
Example for option 1:

authc_storepass='P4ssw0rd!'
nwui_storepass='Password1!'

Example for option 2:

authc_storepass=$(cat authc_storepass_file.txt)
nwui_storepass=$(cat nwui_storepass_file.txt)

Before you start:

Make a backup copy of the Java cacerts file. 

cp -p /opt/nre/java/latest/lib/security/cacerts /tmp/cacerts_$(date -I).bkp

Auth Service Certificate Replacement Steps:

The authc service does not have to be stopped for the below procedure to work. It must be restarted for the new certificates to be loaded, however.

1. Importing the certificates

   • Import the root certificate (<CA>.crt) and any intermediate CA certificates (<ICA>.crt) into the authc.keystore.

     $java_bin/keytool -import -alias RCA -keystore $nsr/authc/conf/authc.keystore -file $RCAcert -storepass $authc_storepass
     $java_bin/keytool -import -alias RCA -keystore /opt/nsr/authc-server/conf/authc.truststore -file $RCAcert -storepass $authc_storepass
     
     $java_bin/keytool -import -alias ICA -keystore $nsr/authc/conf/authc.keystore -file $ICAcert -storepass $authc_storepass
     $java_bin/keytool -import -alias ICA -keystore /opt/nsr/authc-server/conf/authc.truststore -file $ICAcert -storepass $authc_storepass

   • Use the NetWorker Server private key file (<server>.key) and the new CA-signed certificate file (<server>.crt) to create a PKCS12 store file for the emcauthctomcat and emcauthcsaml alias.

     openssl pkcs12 -export -in $cert -inkey $key -name emcauthctomcat -out /tmp/$hostname.tomcat.authc.p12 -password pass:$authc_storepass
     openssl pkcs12 -export -in $cert -inkey $key -name emcauthcsaml -out /tmp/$hostname.saml.authc.p12 -password pass:$authc_storepass

     NOTE: The pkcs12 file password must match the password of the keystore. This is why, in this case, we create it with the authc storepass.

   • Import the PKCS12 store files to the authc.keystore.

     $java_bin/keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/$hostname.tomcat.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass
     $java_bin/keytool -importkeystore -destkeystore /nsr/authc/conf/authc.keystore -srckeystore /tmp/$hostname.saml.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass

   • Import the PKCS12 store files to the authc.truststore.

     $java_bin/keytool -importkeystore -destkeystore /opt/nsr/authc-server/conf/authc.truststore -srckeystore /tmp/$hostname.tomcat.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass
     $java_bin/keytool -importkeystore -destkeystore /opt/nsr/authc-server/conf/authc.truststore -srckeystore /tmp/$hostname.saml.authc.p12 -srcstoretype PKCS12 -srcstorepass $authc_storepass -deststorepass $authc_storepass

   • Delete the default NetWorker self-signed certificate and import the new CA-signed certificate file (<server>.crt) into the authc.truststore.

     $java_bin/keytool -delete -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass $authc_storepass
     $java_bin/keytool -import -alias emcauthctomcat -keystore /opt/nsr/authc-server/conf/authc.truststore -file $cert -storepass $authc_storepass
     $java_bin/keytool -delete -alias emcauthcsaml -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass $authc_storepass
     $java_bin/keytool -import -alias emcauthcsaml -keystore /opt/nsr/authc-server/conf/authc.truststore -file $cert -storepass $authc_storepass

   • Finally import this certificate into the Java cacerts keystore file under emcauthctomcat alias:

     $java_bin/keytool -delete -alias emcauthctomcat -keystore $java_bin/../lib/security/cacerts -storepass changeit
     $java_bin/keytool -import -alias emcauthctomcat -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit

     NOTE: If you are using NetWorker 19.13 (or later), keytool commands may return a warning when importing cacerts certificates. The warning states to use -cacerts instead of -keystore. This can safely be ignored, despite the warning, the syntax shown in this article imports the certificates anyways. The alternative is to replace "-keystore $java_bin/../lib/security/cacerts" with "-cacerts" in the commands; this removes the warning.

2. Edit the admin_service_default_url=localhost value in the authc-cli-app.properties file to reflect the NetWorker Server name used in the CA-signed certificate file:

   cat /opt/nsr/authc-server/conf/authc-cli-app.properties
   admin_service_default_protocol=https
   admin_service_default_url=<my-networker-server.my-domain.com>
   admin_service_default_port=9090
   admin_service_default_user=
   admin_service_default_password=
   admin_service_default_tenant=
   admin_service_default_domain=

3. A restart of NetWorker services is needed for authc to use the new imported certificate.

nsr_shutdown 
systemctl start networker

4. Reestablish authc trust on the NetWorker server:

   nsrauthtrust -H <local host or Authentication_service_host> -P 9090

AUTHC post-verifications:

The output of each "Certificate fingerprint" alias coincides with the ones of the other keystores:

$java_bin/keytool -list -keystore $java_bin/../lib/security/cacerts -storepass changeit | grep emcauthctomcat -A1
$java_bin/keytool -list -keystore /opt/nsr/authc-server/conf/authc.truststore -storepass $authc_storepass | grep emcauthctomcat -A1
$java_bin/keytool -list -keystore $nsr/authc/conf/authc.keystore -storepass $authc_storepass | grep emcauthctomcat -A1

The output should be similar to this:

Certificate fingerprint (SHA-256): FD:54:B4:11:42:87:FF:CA:80:77:D2:C7:06:87:09:72:70:85:C1:70:39:32:A9:C0:14:83:D9:3A:29:AF:44:90

This fingerprint is from the certificate which was installed. This indicates that the introduction of the new certificate in the different keystores was done correctly.

openssl x509 -in $cert -fingerprint -sha256 -noout

When the authc service is up and running, you can check that the certificate it provides to an inbound connection is the same as the above:

openssl x509 -in <(openssl s_client -connect localhost:9090 -prexit 2>/dev/null </dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p') -fingerprint -sha256 -noout

Alternatively, you can check the subject and issuer of the certificate used by port 9090:

openssl s_client -connect localhost:9090 -showcerts 2>/dev/null </dev/null | grep -E "issuer|subject"

NetWorker User Interface (nwui) Service Certificate Replacement Steps:

We assume that the nwui services are running on the NetWorker server.

• Stop the nwui service

  systemctl stop nwui

• Delete the default NetWorker self-signed certificates and import the new CA-signed certificate file (<server>.crt) into the cacerts keystore. For consistency, we replace all nwui-related certificates with the CA-signed certificate.

  • It is necessary to determine whether NetWorker Runtime Environment (NRE) or Java Runtime Environment (JRE) is used before performing the following steps.
  • If JRE is used, the path of /cacerts is at $java_bin/../lib/security/cacerts.
  • If NRE is used, the path of /cacerts is at /opt/nre/java/latest/lib/security/cacerts.

    $java_bin/keytool -delete -alias emcnwuimonitoring -keystore $java_bin/../lib/security/cacerts -storepass changeit
    $java_bin/keytool -import -alias emcnwuimonitoring -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit
    
    $java_bin/keytool -delete -alias emcnwuiserv -keystore $java_bin/../lib/security/cacerts -storepass changeit
    $java_bin/keytool -import -alias emcnwuiserv -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit
    
    $java_bin/keytool -delete -alias emcnwuiauthc -keystore $java_bin/../lib/security/cacerts -storepass changeit
    $java_bin/keytool -import -alias emcnwuiauthc -keystore $java_bin/../lib/security/cacerts -file $cert -storepass changeit

    NOTE: If you are using NetWorker 19.13 (or later), keytool commands may return a warning when importing cacerts certificates. The warning states to use -cacerts instead of -keystore. This can safely be ignored, despite the warning, the syntax shown in this article imports the certificates anyways. The alternative is to replace "-keystore $java_bin/../lib/security/cacerts" with "-cacerts" in the commands; this removes the warning.

• Use the NetWorker Server private key file (<server>.key) and the new CA-signed certificate file (<server>.crt) to create a PKCS12 store file for the emcauthctomcat and emcauthcsaml alias for the nwui keystore.

  openssl pkcs12 -export -in $cert -inkey $key -name emcauthctomcat -out /tmp/$hostname.tomcat.nwui.p12 -password pass:$nwui_storepass
  openssl pkcs12 -export -in $cert -inkey $key -name emcauthcsaml -out /tmp/$hostname.saml.nwui.p12 -password pass:$nwui_storepass

  NOTE: The pkcs12 file password must match the password of the keystore. This is why, in this case, we create it with the nwui storepass.

• Import the .p12 files, root CA certificate, and intermediate CA certificates into the nwui keystore.

  $java_bin/keytool -importkeystore -destkeystore $nsr/nwui/monitoring/app/conf/nwui.keystore -srckeystore /tmp/$hostname.tomcat.nwui.p12 -srcstoretype PKCS12 -srcstorepass $nwui_storepass -deststorepass $nwui_storepass
  
  $java_bin/keytool -importkeystore -destkeystore $nsr/nwui/monitoring/app/conf/nwui.keystore -srckeystore /tmp/$hostname.saml.nwui.p12 -srcstoretype PKCS12 -srcstorepass $nwui_storepass -deststorepass $nwui_storepass
  
  $java_bin/keytool -import -alias RCA -keystore $nsr/nwui/monitoring/app/conf/nwui.keystore -file $RCAcert -storepass $nwui_storepass
  
  $java_bin/keytool -import -alias ICA -keystore $nsr/nwui/monitoring/app/conf/nwui.keystore -file $ICAcert -storepass $nwui_storepass

• Rename the emcnwuimonitoring, emcnwuiauthc, and emcnwuiserv certificates, and put our server certificate here in this path with the same name. You are prompted to overwrite the original files (this maintains existing ownership and permissions)

  cp -p /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer_orig
  cp $cert /nsr/nwui/monitoring/app/conf/emcnwuimonitoring.cer
  
  mv -p /opt/nwui/conf/emcnwuiauthc.cer /opt/nwui/conf/emcnwuiauthc.cer_orig
  cp $cert /opt/nwui/conf/emcnwuiauthc.cer
  
  cp -p /opt/nwui/conf/emcnwuiserv.cer /opt/nwui/conf/emcnwuiserv.cer_orig
  cp $cert /opt/nwui/conf/emcnwuiserv.cer

  NOTE: You are prompted to overwrite the original files (this maintains existing ownership and permissions)

• nwui PostgreSQL Certificate Replacement Steps

  cp -p $nsr/nwui/monitoring/nwuidb/pgdata/server.crt /nsr/nwui/monitoring/nwuidb/pgdata/server.crt_orig
  cp -p $nsr/nwui/monitoring/nwuidb/pgdata/server.key /nsr/nwui/monitoring/nwuidb/pgdata/server.key_orig
  cp $cert $nsr/nwui/monitoring/nwuidb/pgdata/server.crt
  cp $key $nsr/nwui/monitoring/nwuidb/pgdata/server.key

  NOTE: You are prompted to overwrite the original files (this maintains existing ownership and permissions)

• Start the nwui services

  systemctl start nwui

nwui Post-verifications:

The output of each "Certificate fingerprint" alias coincides with the ones of the other keystores:

$java_bin/keytool -list -keystore $nsr/nwui/monitoring/app/conf/nwui.keystore -storepass $nwui_storepass | grep emcauthctomcat -A1
$java_bin/keytool -list -keystore $java_bin/../lib/security/cacerts -storepass changeit | grep emcauthctomcat -A1
$java_bin/keytool -list -storepass $authc_storepass -keystore $nsr/authc/conf/authc.keystore | grep emcauthctomcat -A1

This fingerprint is from the certificate which was installed. This indicates that the introduction of the new certificate in the different keystores was done correctly.

openssl x509 -in $cert -fingerprint -sha256 -noout

Alternatively, you can check the subject and issuer of the certificate used by port 9090:

openssl s_client -connect localhost:9095 -showcerts 2>/dev/null </dev/null | grep -E "issuer|subject"

NetWorker Management Console:

This topic is covered in article: NetWorker: How to Import or Replace Certificate Authority Signed Certificates for NMC

The following instructions can be used to revert to the cacerts file copy created before following this article. The following process also resets NetWorker to using the default self-signed certificates for AUTHC and NWUI. 

1. Confirm that you have a backup copy. If the Before you start command was used, you should have a dated copy of Java's cacerts file in the server's /tmp directory. For example:

[root@nsr ~]# ls -l /tmp | grep cacerts
-rwxr-xr-x. 1 root      root      129266 Mar 23 14:44 cacerts_2026-03-23.bkp

2. Stop NetWorker services:

systemctl stop nwui
nsr_shutdown

3. Validate that NetWorker services are not running:

systemctl status networker
systemctl status nwui

4. Copy the cacerts files back to their original location:

rsync -a --no-perms --no-owner --no-group /tmp/cacerts_<date>.bkp /opt/nre/java/latest/lib/security/cacerts

5. Rerun the authc_configure.sh script and specify the option to create a new keystore. Example:

[root@nsr ~]# /opt/nsr/authc-server/scripts/authc_configure.sh

Specify the directory where the Java Standard Edition Runtime Environment (JRE) software is installed [/opt/nre/java/latest]:

The installation process will install an Apache Tomcat instance.
For optimum security, EMC NetWorker Authentication Service will
use a non-root user (nsrtomcat) to start the Apache Tomcat instance.
If your system has special user security requirements, ensure that proper
operational permissions are granted to this non-root user (nsrtomcat).
Please refer to NetWorker Installation Guide.

The Apache Tomcat will use "nsr.amer.lan" as the host name.
The Apache Tomcat will use "9090" as the port number.

The NetWorker Authentication Service requires a keystore file to configure encryption and to provide SSL support.

EMC recommends that you specify a keystore password that has a minimum of six characters.

Do you want to use the existing keystore /nsr/authc/conf/authc.keystore [y]? n

The installation process will create a new keystore file.

Specify the keystore password: HIDDEN_PASSWORD
Confirm the password: HIDDEN_PASSWORD

Creating the installation log in /opt/nsr/authc-server/logs/install.log.

Performing initialization. Please wait...


The installation completed successfully.

6. Start the NetWorker server services:

systemct start networker

7. Use the nwui_configure.sh script and specify the option to create a new keystore. Example:

[root@nsr ~]# mv /nsr/nwui /nsr/nwui_$(date -I).bak
[root@nsr ~]# /opt/nwui/scripts/nwui_configure.sh

Specify the directory where the Java Standard Edition Runtime Environment (JRE) software is installed [/opt/nre/java/latest]:

Specify the host name of the NetWorker Authentication Service host [nsr.amer.lan]:

Specify the host name of the NetWorker Server to be Managed by NWUI [nsr.amer.lan]:

Specify the AUTHC port for Networker Server which is managed by NWUI [9090]:

The NetWorker Web UI Server requires a keystore file to configure encryption and to provide SSL support.
EMC recommends that you specify a password that has a minimum of nine characters,
with at least one upper case letter, one lower case letter, one number and one special character.

The installation process will create a new keystore file.

Specify the keystore password: HIDDEN_PASSWORD
Confirm the password: HIDDEN_PASSWORD

9. Start the NWUI service:

systemctl start nwui

10. Validate that services have started:

systemctl status networker
systemctl status nwui

The server should be functioning with the default self-signed certificates Networker deploys by default.