Avamar 19.2: How to install CA Signed certificate using AUI
Summary: This KB describes how to install certificate using AUI for version 19.2.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
This article is for Avamar 19.2.x.
Task details:
The following procedure creates, import the private key and its certificate, distribute the key and certificate into each component (avinstaller, aam/flr/dtlt, mcsdk, rmi and AUI), and then import all levels of trusted certificates into your certificate chain, resulting in the replacement of the listed component's certificates.
Steps to install certificate using AUI:
Task details:
The following procedure creates, import the private key and its certificate, distribute the key and certificate into each component (avinstaller, aam/flr/dtlt, mcsdk, rmi and AUI), and then import all levels of trusted certificates into your certificate chain, resulting in the replacement of the listed component's certificates.
Steps to install certificate using AUI:
- Log in to Avamar PuTTY as admin user.
- Create a certs directory under /home/admin and switch to /home/admin/certs directory with commands:
mkdir certs cd certs
- Generate PKCS1 formatted RSA private key:
openssl genrsa -out private_key.pem 3072
- Switch to root user and cd to the certs directory:
su - cd /home/admin/certs
- Generate the certificate signing request (csr), using the generated private key. This command specifies a subject alternative name extension which is automatically filled with the fully qualified domain name of the Avamar server and the shortname.
openssl req -newkey rsa:3072 -sha256 -key private_key.pem -days 3650 -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS: $(hostname -f),DNS: $(hostname)")) -out signing_request.csr Example of filling in Distinguished Name information: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:Irvine Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dell Technologies Organizational Unit Name (eg, section) []:Avamar Support Common Name (e.g. server FQDN or YOUR name) []:avamarlab.dell.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
- Change ownership of the signing request to admin:
chown admin:admin /home/admin/certs/signing_request.csr
- Send signing_request.csr to CA and get it signed. Ensure that all certs received from CA are in PEM format. Assuming you have received signed certificate as avamar_server.crt, get root and intermediate certs from CA as well.
- Copy the private_key.pem from /home/admin/certs to desktop. Place signed cert (avamar_server.crt), combine root cert and intermediate cert in a ca.crt file, and place on desktop.
- Open AUI page in browser with Fully Qualified Domain Name (FQDN):
https://fqdn_of_avamar/aui
- In the AUI, go to Administration > System > Certificate tab > Private Key tab. A private certificate entry for the Web Server appears in the table.
- Click the radial button next to the Web Server entry > Click +REPLACE tab. The Replace Private Entry wizard displays.
- In the Private Key field, click Browse to locate and select your certificate's private key. In our case, it is private_key.pem placed on desktop.
- In the Certificate field, click Browse to locate and select your certificate file. It should be avamar_server.crt.
- (Optional) If the private key is protected, provide the passphrase, otherwise leave it blank and click Next.
- Certificate validation is initiated. If the validation fails (for example, if you selected private_key.pem for the private key and ca.crt for the certificate), a message displays indicating the private key and certificate do not match.
- When validation completes successfully, click FINISH.
- Under the Certificate tab, select the Trust Certificate tab > click +IMPORT. The Import Certificate wizard displays.
- In Alias field, provide any alias names, example: trustedCA. In the File field, click BROWSE to locate and import the appropriate trusted certificate. In our case, it is ca.crt on desktop. Click NEXT.
- Click FINISH. After the import completes, review the trusted certificate details under the Trust Certificate tab.
- Click RESTART SERVICES to apply certificate, and then click YES to verify you want to restart these services.
(Note: It restarts Apache Tomcat and MCS).
Products
AvamarArticle Properties
Article Number: 000158014
Article Type: How To
Last Modified: 29 May 2023
Version: 6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.