NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "AUTHC" and "NWUI" (Windows)
Summary: These are the general steps to replace the default NetWorker self-signed certificate with a Certificate Authority (CA)-signed certificate for the "AUTHC" and "NWUI" services. This KB applies when the NetWorker server and NetWorker Web User Interface (NWUI) server are installed on Windows operating systems. ...
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
These instructions describe how to replace the default NetWorker self-signed certificate with a CA-signed certificate for the AUTHC and NWUI services on the NetWorker server.
The file names do not have a naming requirement, but the extensions should be referenced for the type of file. The command examples shown are for Windows. For Linux instructions, see:
NetWorker: How to Import or Replace Certificate Authority Signed Certificates for "Authc" and "NWUI" (Linux)
NOTE: The process outlined requires the OpenSSL command-line utility. OpenSSL is not included on Windows operating systems by default. If the OpenSSL utility is not installed, consult with your system administrator for installing OpenSSL before proceeding with this KB.
Certificate Files Involved:
<server>.csr: NetWorker server certificate signing request <server>.key: NetWorker server private key <server>.crt: NetWorker server CA-signed certificate <CA>.crt: CA root certificate <ICA>.crt: CA intermediate certificate (optional if it is available)
Keystores Involved:
| Store Name | Default Path |
| authc.keystore | C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf\authc.keystore |
| authc.truststore | C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc.truststore |
| cacerts | C:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts |
| nwui.keystore | C:\Program Files\EMC NetWorker\nwui\monitoring\app\conf\nwui.keystore |
NOTE: The paths shown are default installation paths; however, the install path is user-defined and can be installed in another location. Use the installation paths from your server if nondefault paths were used. The NetWorker Runtime Environment (NRE) java path differs depending on the version of NRE installed, as this also alters the version of java installed.
Before you start:
Create a copy of the following files and folders in another location:
C:\Program Files\NRE\java\jre#.#.#_###\lib\security\cacerts C:\Program Files\EMC NetWorker\nwui\monitoring\app\conf\nwui.keystore C:\Program Files\EMC NetWorker\nwui\monitoring\nwuidb\pgdata C:\Program Files\EMC NetWorker\nsr\authc-server\tomcat\conf C:\Program Files\EMC NetWorker\nsr\authc-server\conf
Generate a private key and certificate signing request (CSR) file to provide to your CA.
- Open an Administrator command prompt and run the following commands:
set openssl="<Path to OpenSSL bin folder>\openssl.exe" %openssl% req -new -newkey rsa:4096 -nodes -out C:\tmp\<server>.csr -keyout C:\tmp\<server>.key
- Send the CSR file (<server>.csr) to the CA to generate the CA-signed certificate file (<server>.crt). The CA should provide the CA-signed certificate file (<server>.crt), the root certificate (<CA>.crt), and any intermediate CA certificates (<ICA>.crt).
Pre-verification steps:
You must know the correct NetWorker keystore passwords. These passwords are set during AUTHC and NWUI configuration. If you are not sure, see:
In order to facilitate the steps and commands described below, we create the following variables from an administrator command-prompt:
set hostname=<shortname of NetWorker server> set openssl="<Path to OpenSSL bin folder>\openssl.exe" *For example this may be C:\Program Files\OpenSSL-Win64\bin; however the path can differ depending on how OpenSSL was installed. NOTE: setting this variable is not required if the OpenSSL bin directory is part of the system environment variable "PATH". In which case, openssl can be run without specifying %openssl% as shown in the KB process. set java_bin="<Path to JRE bin folder>" *For NRE this is “C:\Program Files\NRE\java\jre#.#.#_###\bin”, where jre#.#.#_### is the version specific JRE folder. set nsr="<path to nsr folder>" *The default path is “C:\Program Files\EMC NetWorker\nsr” set nwui="<path to nwui folder>" *The default path is “C:\Program Files\EMC NetWorker\nwui” set cert="<path to server crt file>" set key="<path to server key file>" set RCAcert="<path to Root CA file>" set ICAcert="<path to intermediate CA crt file>" set authc_storepass=<AUTHC store password> set nwui_storepass=<NWUI store password>
NOTE: The values for these variables are environment-specific. You must set the values in accordance with the system paths and credentials used on your system. These variables are limited to the command-prompt session. Once the command-prompt window is closed, the variables are unset. If there is more than one intermediate certificate, create variables for each certificate: ICA1, ICA2, and so on
Ensure that you have the following:
- server.crt file, which contains a PEM certificate whose first line is -----BEGIN CERTIFICATE----- and the last line is -----END CERTIFICATE-----
- The key file starts with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----
- Confirm that all certificates are valid PEM format files by running
openssl x509 -in <cert> -text -noout - Verify the above output to be sure that it is the right certificate.
- Check the output of the following two commands:
%openssl% rsa -pubout -in %key%
%openssl% x509 -pubkey -noout -in %cert%
The output of these two commands must match.
Auth Service Certificate Replacement Steps:
The authc service does not have to be stopped for the below procedure to work. It must be restarted for the new certificates to be loaded, however.
- Importing the certificates:
- Import the root certificate (<CA>.crt) and any intermediate CA certificates (<ICA>.crt) into the authc.keystore:
%java_bin%\keytool -import -alias RCA -keystore %nsr%\authc-server\tomcat\conf\authc.keystore -file %RCAcert% -storepass %authc_storepass% %java_bin%\keytool -import -alias RCA -keystore %nsr%\authc-server\conf\authc.truststore -file %RCAcert% -storepass %authc_storepass% %java_bin%\keytool -import -alias ICA -keystore %nsr%\authc-server\tomcat\conf\authc.keystore -file %ICAcert% -storepass %authc_storepass% %java_bin%\keytool -import -alias ICA -keystore %nsr%\authc-server\conf\authc.truststore -file %ICAcert% -storepass %authc_storepass%
- Use the NetWorker Server private key file (<server>.key) and the new CA-signed certificate file (<server>.crt) to create a PKCS12 store file for the
emcauthctomcatandemcauthcsamlalias.
%openssl% pkcs12 -export -in %cert% -inkey %key% -name emcauthctomcat -out C:\tmp\%hostname%.tomcat.authc.p12 -password pass:%authc_storepass% %openssl% pkcs12 -export -in %cert% -inkey %key% -name emcauthcsaml -out C:\tmp\%hostname%.saml.authc.p12 -password pass:%authc_storepass%
- Import the PKCS12 store files to the authc.keystore.
%java_bin%\keytool -importkeystore -destkeystore %nsr%\authc-server\tomcat\conf\authc.keystore -srckeystore C:\tmp\%hostname%.tomcat.authc.p12 -srcstoretype PKCS12 -srcstorepass %authc_storepass% -deststorepass %authc_storepass% %java_bin%\keytool -importkeystore -destkeystore %nsr%\authc-server\tomcat\conf\authc.keystore -srckeystore C:\tmp\%hostname%.saml.authc.p12 -srcstoretype PKCS12 -srcstorepass %authc_storepass% -deststorepass %authc_storepass%
- Import the PKCS12 store files to the authc.truststore.
%java_bin%\keytool -importkeystore -destkeystore %nsr%\authc-server\conf\authc.truststore -srckeystore C:\tmp\%hostname%.tomcat.authc.p12 -srcstoretype PKCS12 -srcstorepass %authc_storepass% -deststorepass %authc_storepass% %java_bin%\keytool -importkeystore -destkeystore %nsr%\authc-server\conf\authc.truststore -srckeystore C:\tmp\%hostname%.saml.authc.p12 -srcstoretype PKCS12 -srcstorepass %authc_storepass% -deststorepass %authc_storepass%
- Delete the default NetWorker self-signed certificate and import the new CA-signed
%java_bin%\keytool -delete -alias emcauthctomcat -keystore %nsr%\authc-server\conf\authc.truststore -storepass %authc_storepass% %java_bin%\keytool -import -alias emcauthctomcat -keystore %nsr%\authc-server\conf\authc.truststore -file %cert% -storepass %authc_storepass% %java_bin%\keytool -delete -alias emcauthcsaml -keystore %nsr%\authc-server\conf\authc.truststore -storepass %authc_storepass% %java_bin%\keytool -import -alias emcauthcsaml -keystore %nsr%\authc-server\conf\authc.truststore -file %cert% -storepass %authc_storepass%
- Finally import this certificate into the Java cacerts keystore file under
emcauthctomcatalias:
%java_bin%\keytool -delete -alias emcauthctomcat -keystore %java_bin%\..\lib\security\cacerts -storepass changeit %java_bin%\keytool -import -alias emcauthctomcat -keystore %java_bin%\..\lib\security\cacerts -file %cert% -storepass changeit
- Edit the admin_service_default_url=localhost value in the C:\Program Files\EMC NetWorker\nsr\authc-server\conf\authc-cli-app.properties file to reflect the NetWorker Server name used in the CA-signed certificate file:
admin_service_default_protocol=https
admin_service_default_url=<my-networker-server.my-domain.com>
admin_service_default_port=9090
admin_service_default_user=
admin_service_default_password=
admin_service_default_tenant=
admin_service_default_domain=
- A restart of NetWorker services is needed for AUTHC to use the new imported certificate.
net stop nsrd net start nsrd
- Re-establish AUTHC trust on the NetWorker server:
nsrauthtrust -H <localhost or Authentication_service_host> -P 9090
AUTHC post-verifications:
- Confirm the fingerprint of the certificate imported:
%openssl% x509 -in %cert% -fingerprint -sha256 -noout
Example:
C:\certs>%openssl% x509 -in %cert% -fingerprint -sha256 -noout
SHA256 Fingerprint=06:4B:5B:73:06:55:FC:4A:CD:D2:92:34:00:1D:CE:35:CA:C3:48:C7:51:06:3A:D7:D7:84:F4:77:06:ED:9B:73
- Create output files for the cacerts
%java_bin%\keytool -list -keystore %java_bin%\..\lib\security\cacerts -storepass changeit > C:\tmp\cacerts.out
- Review the output file and confirm that you see the
emcauthctomcatentry and that the Certificate fingerprint matches the fingerprint from step 1:
- Check the authc.truststore and authc.keystore and confirm that the
emcauthctomcatandemcauthcsamlcertificate fingerprints match the fingerprint from step 1:
%java_bin%\keytool -list -keystore %nsr%\authc-server\conf\authc.truststore -storepass %authc_storepass% %java_bin%\keytool -list -keystore %nsr%\authc-server\conf\authc.truststore -storepass %authc_storepass%
- When the AUTHC service is up and running, you can check that the certificate it provides to an inbound connection is the same as the above:
%openssl% s_client -connect localhost:9090 -showcerts 2>nul | %openssl% x509 -noout -fingerprint -sha256
Example:
C:\certs>%openssl% s_client -connect localhost:9090 -showcerts 2>nul | %openssl% x509 -noout -fingerprint -sha256
SHA256 Fingerprint=06:4B:5B:73:06:55:FC:4A:CD:D2:92:34:00:1D:CE:35:CA:C3:48:C7:51:06:3A:D7:D7:84:F4:77:06:ED:9B:73
NetWorker User Interface (nwui) Service Certificate Replacement Steps:
nwui services are running on the NetWorker server.
- Stop the NWUI service:
net stop nwui
- Delete the default NetWorker self-signed certificates and import the new CA-signed certificate file (<server>.crt) into the cacerts keystore. For consistency, we replace all nwui-related certificates with the CA-signed certificate.
%java_bin%\keytool -delete -alias emcnwuimonitoring -keystore %java_bin%\..\lib\security\cacerts -storepass changeit %java_bin%\keytool -import -alias emcnwuimonitoring -keystore %java_bin%\..\lib\security\cacerts -file %cert% -storepass changeit
- Use the NetWorker Server private key file (<server>.key) and the new CA-signed certificate file (<server>.crt) to create a PKCS12 store file for the
emcauthctomcatandemcauthcsamlalias for the nwui keystore.
%openssl% pkcs12 -export -in %cert% -inkey %key% -name emcauthctomcat -out C:\tmp\%hostname%.tomcat.nwui.p12 -password pass:%nwui_storepass% %openssl% pkcs12 -export -in %cert% -inkey %key% -name emcauthcsaml -out C:\tmp\%hostname%.saml.nwui.p12 -password pass:%nwui_storepass%
NOTE: The pkcs12 file password must match the password of the keystore. This is why, in this case, we create it with the nwui storepass.
- Import the .p12 files, root CA certificate, and intermediate CA certificates into the nwui keystore.
%java_bin%\keytool -importkeystore -destkeystore %nwui%\monitoring\app\conf\nwui.keystore -srckeystore C:\tmp\%hostname%.tomcat.nwui.p12 -srcstoretype PKCS12 -srcstorepass %nwui_storepass% -deststorepass %nwui_storepass% %java_bin%\keytool -importkeystore -destkeystore %nwui%\monitoring\app\conf\nwui.keystore -srckeystore C:\tmp\%hostname%.saml.nwui.p12 -srcstoretype PKCS12 -srcstorepass %nwui_storepass% -deststorepass %nwui_storepass% %java_bin%\keytool -import -alias RCA -keystore %nwui%\monitoring\app\conf\nwui.keystore -file %RCAcert% -storepass %nwui_storepass% %java_bin%\keytool -import -alias ICA -keystore %nwui%\monitoring\app\conf\nwui.keystore -file %ICAcert% -storepass %nwui_storepass%
- Rename the
emcnwuimonitoringcertificate, and put our server certificate here in this path with the same name.
move %nwui%\monitoring\app\conf\emcnwuimonitoring.cer %nwui%\monitoring\app\conf\emcnwuimonitoring.cer_orig copy %cert% %nwui%\monitoring\app\conf\emcnwuimonitoring.cer
- Start the NWUI service:
net start nwui
nwui Post-verifications:
- Confirm the fingerprint of the certificate imported:
%openssl% x509 -in %cert% -fingerprint -sha256 -noout
Example:
C:\certs>%openssl% x509 -in %cert% -fingerprint -sha256 -noout
SHA256 Fingerprint=06:4B:5B:73:06:55:FC:4A:CD:D2:92:34:00:1D:CE:35:CA:C3:48:C7:51:06:3A:D7:D7:84:F4:77:06:ED:9B:73
- Create output files for the cacerts
%java_bin%\keytool -list -keystore %java_bin%\..\lib\security\cacerts -storepass changeit > C:\tmp\cacerts.out
- Review the output file and confirm that you see the
emcauthctomcatentry and that the Certificate fingerprint matches the fingerprint from step 1:
- Check the nwui.keystore and confirm that the
emcauthctomcatcertificate fingerprints match the fingerprint from step 1:
%java_bin%\keytool -list -keystore %nwui%\monitoring\app\conf\nwui.keystore -storepass %nwui_storepass%
- When the NWUI service is up and running, you can check that the certificate it provides to an inbound connection is the same as the above:
%openssl% s_client -connect localhost:9095 -showcerts 2>nul | %openssl% x509 -noout -fingerprint -sha256
Example:
C:\certs>%openssl% s_client -connect localhost:9095 -showcerts 2>nul | %openssl% x509 -noout -fingerprint -sha256
SHA256 Fingerprint=06:4B:5B:73:06:55:FC:4A:CD:D2:92:34:00:1D:CE:35:CA:C3:48:C7:51:06:3A:D7:D7:84:F4:77:06:ED:9B:73
nwui PostgreSQL Certificate Replacement Steps
move %nwui%\monitoring\nwuidb\pgdata\server.crt %nwui%\monitoring\nwuidb\pgdata\server.crt_orig move %nwui%\monitoring\nwuidb\pgdata\server.key %nwui%\monitoring\nwuidb\pgdata\server.key_orig copy %cert% %nwui%\monitoring\nwuidb\pgdata\server.crt copy %key% %nwui%\monitoring\nwuidb\pgdata\server.keyCheck the ownership of these files and ensure that they are owned by the system account LOCAL SERVICE.
If the file ownership is set to another user account or group, update each file so that they are owned by "LOCAL SERVICE"
Additional Information
For more information about importing a CA-signed certificate, see the Dell NetWorker Security Configuration Guide.
The process for replacing the NetWorker Management Console (NMC) self-signed certificate with a CA signed certificate is detailed in the following KB:
NetWorker: How to Import or Replace Certificate Authority Signed Certificates for NMC
Affected Products
NetWorkerProducts
NetWorker FamilyArticle Properties
Article Number: 000269543
Article Type: How To
Last Modified: 14 Nov 2025
Version: 8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.