Avamar: How to regenerate certificates
Summary: How to reset or regenerate certificates due to expiration (or misconfiguration).
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
Use Cases:
- Regenerating certificates on-demand.
- When Avamar services are down, and cannot be restarted due to expired or misconfigured certificates.
Notes:
- Several of these procedures require that running services be restarted. This may disrupt running backups and replication jobs. Services should not be restarted while Avamar maintenance (checkpoint (cp), checkpoint validation (hfscheck), or garbage collection are running).
- Regenerating the keystores and updating the Data Domain certificate store can be done automatically with the GoAV tool. See the following article for more information: Avamar: How to Use Goav security keystore
- If the GoAV tool is to be used, ensure that the latest copy is downloaded and extracted per Avamar: GoAV Product Tool for Management and Troubleshooting
- A checkpoint MUST be taken prior to performing any updates.
Review the existing expirations to determine which updates are required:
- Log in to the Avamar Utility Node as admin.
- Elevate to root privilege.
- Set the "storepath" variable:
For Avamar v19.7 and later:
storepath=/home/tomcat/.keystore
For Avamar 19.4 and below:
storepath=/home/admin/.keystore - Run the following command to print the certificate expiration dates:
storepass=`ask_pass -r keystore_passphrase` && echo "MC Root certificates: " && keytool -list -keystore /usr/local/avamar/lib/avamar_keystore -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "MCSDK certificate: " && keytool -list -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "Admin/DTLT certificate: " && keytool -list -alias tomcat -keystore $storepath -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "Avi certificate: " && keytool -list -alias tomcat -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $storepass -v | egrep "Alias name|Valid from" && echo && echo "Apache certificate: " && openssl x509 -in /etc/apache2/ssl.crt/server.crt -noout -dates
Sample outputs (based on commands run on February 18, 2026):MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Feb 12 20:21:50 PST 2030 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Feb 12 20:21:49 PST 2030 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2022 GMT notAfter=Jan 31 04:49:34 2027 GMT
(Nothing has expired)MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Mar 12 20:21:48 PST 2026 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Mar 12 20:21:50 PST 2026 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Mar 12 20:21:48 PST 2026 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Mar 12 20:21:49 PST 2026 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2022 GMT notAfter=Jan 31 04:49:34 2027 GMT
(The MC Root certificates are expiring within a month)MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2026 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Feb 12 20:21:50 PST 2026 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2026 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Feb 12 20:21:49 PST 2026 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2022 GMT notAfter=Jan 31 04:49:34 2027 GMT
(The MC Root certificates have expired)MC Root certificates: Alias name: mcectls Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsatls Valid from: Thu Feb 13 20:21:50 PST 2025 until: Tue Feb 12 20:21:50 PST 2030 Alias name: mcecroot Valid from: Thu Feb 13 20:21:48 PST 2025 until: Tue Feb 12 20:21:48 PST 2030 Alias name: mcrsaroot Valid from: Thu Feb 13 20:21:49 PST 2025 until: Tue Feb 12 20:21:49 PST 2030 MCSDK certificate: Alias name: mcssl Valid from: Thu Feb 13 20:21:43 PST 2025 until: Sun Feb 11 20:21:43 PST 2035 Alias name: mcjwt Valid from: Thu Feb 13 20:21:45 PST 2025 until: Sun Feb 11 20:21:45 PST 2035 Admin/DTLT certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:02 PST 2025 until: Sun Feb 11 20:22:02 PST 2035 Avi certificate: Alias name: tomcat Valid from: Thu Feb 13 20:22:00 PST 2025 until: Sun Feb 11 20:22:00 PST 2035 Apache certificate: notBefore=Feb 1 04:49:34 2021 GMT notAfter=Jan 31 04:49:34 2026 GMT
(The Apache certificate has expired.)
Update the appropriate certificates from the applicable section in the appendix below:
- Regenerating the Apache certificates only
- Regenerating the Tomcat certificates only
- Regenerating the AVI certificates only
- Regenerating the Management Console Server (MCS) developer kit (MCSDK) certificates
- Regenerating the Management Console (MC) root certificates
- Regenerating all certificates
Perform post change verifications:
- Verify that all Avamar services are running:
dpnctl status - Perform a test backup
- Perform a backup browse for restore
Appendix:
Regenerating the Apache certificates only:
The Apache certificates are stored as regular Privacy Enhanced Mail (PEM) formatted certificate files.
- Log in to the Avamar Utility Node as admin.
- Elevate to root privilege.
- Make a backup copy of the existing certificate files:
cp -p /etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.crt/server.crt.`date +%y%m%d` cp -p /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.`date +%y%m%d`
- Verify that the backup copy exists:
ls -al /etc/apache2/ssl.crt/server.crt* ls -al /etc/apache2/ssl.key/server.key*
- The Apache certificate can be updated using GoAV (v18.4 and later) OR by running a script on Avamar:
GoAV command (and sample output):
./goav security certificate apache regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 04:52 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:./goav security certificate apache regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select a Key Size in bits: ┃ > 2048 ┃ 3072 ┃ 4096
(Select the required key size, or take the default of 2048)Apache x509 Certificate Configuration ------------------------------------- Apache Private Key ------------------ Location /etc/apache2/ssl.key/server.key Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Apache Server Cert ------------------ Location /etc/apache2/ssl.crt/server.crt Serial 129741042722659803976190762572696306257 Subject C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Issuer C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Valid Range YYYY/MM/DD - valid from: 2026/02/18, valid to: 2028/02/18 Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Subject Alt Names server.company.com
-- Or --
Avamar Script (and sample output):
gen-ssl-cert --updateapache --noupdateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verboseopenssl genrsa -out /tmp/gen-ssl-cert-server.key.9085 3072 Generating RSA private key, 3072 bit long modulus e is 65537 (0x10001) openssl req -new -key /tmp/gen-ssl-cert-server.key.9085 -out /tmp/gen-ssl-cert-server.csr.9085 < /tmp/gen-ssl-cert-answers.9085 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ... |-30200 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start `-30206 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. /sbin/service apache2 stop /sbin/service apache2 start
Regenerating the Tomcat certificates only:
- The Tomcat keystore stores the Tomcat certificates.
- It regenerates "/home/tomcat/.keystore" or "/home/admin/.keystore" depending on the Avamar version.
- Log in to the Avamar Utility Node as admin.
- Elevate to root privilege.
- Make a backup copy of the existing keystore:
cp -p /home/tomcat/.keystore /home/tomcat/.keystore.`date +%y%m%d`
(Substitute /home/admin/.keystore for /home/tomcat/.keystore in Avamar 19.4 and lower) - Verify that the backup copy exists:
ls -al /home/tomcat/.keystore*
(Substitute /home/admin/.keystore for /home/tomcat/.keystore in Avamar 19.4 and lower) - The keystore can be updated using GoAV OR by running commands on Avamar:
GoAV command (and sample output):
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ > TOMCAT_KEYSTORE
(Select the TOMCAT_KEYSTORE)⣯ Fixing any Tomcat issues ... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Tomcat Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Tomcat restart required, restart Tomcat? ┃ ┃ yes no
(Select "yes")═══════════════════ Restarting Services ═══════════════════ ⣻ Restarting Tomcat... ... Tomcat restarted
-- Or --
Avamar Commands:- Set the tomcat_keystore variable:
For Avamar v19.7 and later:
TOMCAT_KEYSTORE=/home/tomcat/.keystore
For Avamar 19.4 and below:
TOMCAT_KEYSTORE=/home/admin/.keystore - Regenerate the Tomcat keystore by running the following commands:
mv $TOMCAT_KEYSTORE /home/admin/tomcat_keystore.bak
keytool -genkeypair -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 3072 -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) -validity 3650 -dname "CN=$(hostname -f), OU=Dell EMC, O=Dell Technologies, L=Irvine, ST=California, C=US"
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) - Update the permissions and ownership of the keystore:
For Avamar v19.7 and later:
chmod 640 $TOMCAT_KEYSTORE
chown root:tomcat $TOMCAT_KEYSTORE
For Avamar 19.4 and below:
chmod 740 $TOMCAT_KEYSTORE
chown admin:admin $TOMCAT_KEYSTORE
- Set the tomcat_keystore variable:
Regenerating the AVI certificates only:
Regenerates /usr/local/avamar/lib/avi/avi_keystore
- Log in to the Avamar Utility Node as admin.
- Elevate to root privilege.
- Make a backup copy of the existing keystore:
cp -p /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore.`date +%y%m%d` - Verify that the backup copy exists:
ls -al /usr/local/avamar/lib/avi/avi_keystore* - The keystore can be updated using GoAV OR by running commands on Avamar:
GoAV commands (and sample outputs):
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ > AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Select the AVI_KEYSTORE)... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Avi Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Avinstaller restart required, restart AVI? ┃ ┃ yes no
(Select "yes")═══════════════════ Restarting Services ═══════════════════ ⣽ Restarting Avinstaller... ... Avinstaller restarted
-- Or --
Avamar commands (and sample output):
(The service automatically restarts)
mv /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore-$(date -I)
gen-ssl-cert --norestart --noupdateapache --updateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verbosegen-ssl-cert: INFO: Regenerating avinstaller SSL certifcate keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keypass ######### -storepass ########## -keystore /usr/local/avamar/lib/avi/avi_keystore -validity 3650 -dname "CN=server.company.com, O=Dell Technologies, OU=Dell EMC, L=Irvine, S=CA, C=US" gen-ssl-cert: INFO: Successfully created tomcat in java keystore gen-ssl-cert: INFO: Restarting avinstaller service gen-ssl-cert: INFO: avinstaller service restart complete gen-ssl-cert: INFO: Restarting LDLS service gen-ssl-cert: INFO: LDLS service restart complete
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
Certificate stored in file </tmp/mcssl.pem>
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Owner: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Issuer: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Serial number: d93e3be Valid from: Wed Feb 18 16:11:15 PST 2026 until: Sat Feb 16 16:11:15 PST 2036 Certificate fingerprints: SHA1: 82:82:81:B4:C9:BD:03:E1:8A:E0:AE:8A:59:55:EF:B5:1F:3B:27:5F SHA256: AC:E7:AE:CE:04:13:E0:86:88:1E:3E:FA:17:DA:B6:A5:3D:3D:74:F3:EB:70:57:63:58:B1:74:B3:50:28:EA:01 Signature algorithm name: SHA512withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3 Trust this certificate? [no]:
Select "y".Certificate was added to keystore
chmod 644 /usr/local/avamar/lib/avi/avi_keystore
chown avi:avi /usr/local/avamar/lib/avi/avi_keystore
Regenerating the Management Console Server (MCS) developer kit (MCSDK) certificates:
- This updates the Avamar RMI Keystore containing the MCSDK certificate and JWT signing key
- It regenerates "/usr/local/avamar/lib/rmi_ssl_keystore"
- The MCSDK certificate handles Java Remote Method Invocation (RMI) communications with Data Protection Central (DPC), the Avamar Administrator Console, the Proxy Deployment Manager (PDM), and Client Manager (AAM).
- The tomcat certificate should also be updated. The Tomcat keystore stores the Tomcat certificates.
- It regenerates "/home/tomcat/.keystore" or "/home/admin/.keystore" depending on the Avamar version
- The AVI certificates should also be updated
- It regenerates "/usr/local/avamar/lib/avi/avi_keystore"
- Log in to the Avamar Utility Node as admin.
- Elevate to root privilege.
- Make a backup copy of the existing keystores:
cp -p /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore.`date +%y%m%d` cp -p /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore.`date +%y%m%d` cp -p /home/tomcat/.keystore /home/tomcat/.keystore.`date +%y%m%d`
(Substitute /home/admin/.keystore for /home/tomcat/.keystore in Avamar 19.4 and lower) - Verify that the backup copies exist:
ls -al /usr/local/avamar/lib/rmi_ssl_keystore* ls -al /usr/local/avamar/lib/avi/avi_keystore* ls -al /home/tomcat/.keystore*
(Substitute /home/admin/.keystore for /home/tomcat/.keystore in Avamar 19.4 and lower) - Backup the MCS:
- Switch to admin.
- Run the following command to perform the backup (aka flush):
mcserver.sh --flush=== BEGIN === check.mcs (preflush) check.mcs passed === PASS === check.mcs PASSED OVERALL (preflush) Flushing Administrator Server... Administrator Server flushed.
- Type exit to return to the session as root.
- The keystores can be updated using GoAV OR by running commands on Avamar:
GoAV commands (and sample outputs):- MCSDK:
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ > RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Select the RMI_SSL_KEYSTORE)⣯ Stopping MCS... ... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated RMI Keystore ✓ ══════ Loading vCenter Certificates into RMI Keystore ══════ ═══════════════════ Restarting Services ═══════════════════ ┃ MCS restart required, restart MCS? ┃ ┃ yes no
(Select "yes")
If the following is received:unable to take mcs flush: The Administrator Server is not running. ERROR: Cannot flush the Administrator Server while it is not running. Start the Administrator Server first.
Manually restart MCS by running the following command as admin:mcserver.sh --start - Tomcat:
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ > TOMCAT_KEYSTORE
(Select the TOMCAT_KEYSTORE)⣯ Fixing any Tomcat issues ... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Tomcat Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Tomcat restart required, restart Tomcat? ┃ ┃ yes no
(Select "yes")═══════════════════ Restarting Services ═══════════════════ ⣻ Restarting Tomcat... ... Tomcat restarted
- AVI:
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ AVAMAR_KEYSTORE ┃ > AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Select the AVI_KEYSTORE)... ══════════════════ Fixing Keystore Issues ══════════════════ Regenerated Avi Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ Avinstaller restart required, restart AVI? ┃ ┃ yes no
(Select "yes")═══════════════════ Restarting Services ═══════════════════ ⣽ Restarting Avinstaller... ... Avinstaller restarted ✓
Avamar Commands:- MCSCK
mv /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore-$(date -I)
keytool -genkeypair -v -alias mcssl -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
keytool -genkeypair -v -alias mcjwt -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
chown root:admin /usr/local/avamar/lib/rmi_ssl_keystore
chmod 660 /usr/local/avamar/lib/rmi_ssl_keystore
As admin:
mcserver.sh --stop
mcserver.sh --start - Tomcat:
- Set the tomcat_keystore variable:
For Avamar v19.7 and later:
TOMCAT_KEYSTORE=/home/tomcat/.keystore
For Avamar 19.4 and below:
TOMCAT_KEYSTORE=/home/admin/.keystore - Regenerate the Tomcat keystore by running the following commands:
mv $TOMCAT_KEYSTORE /home/admin/tomcat_keystore.bak
keytool -genkeypair -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 3072 -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) -validity 3650 -dname "CN=$(hostname -f), OU=Dell EMC, O=Dell Technologies, L=Irvine, ST=California, C=US"
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) - Update the permissions and ownership of the keystore:
For Avamar v19.7 and later:
chmod 640 $TOMCAT_KEYSTORE
chown root:tomcat $TOMCAT_KEYSTORE
For Avamar 19.4 and below:
chmod 740 $TOMCAT_KEYSTORE
chown admin:admin $TOMCAT_KEYSTORE
- Set the tomcat_keystore variable:
- AVI (The service automatically restarts):
mv /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore-$(date -I)
gen-ssl-cert --norestart --noupdateapache --updateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verbosegen-ssl-cert: INFO: Regenerating avinstaller SSL certifcate keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keypass ######### -storepass ########## -keystore /usr/local/avamar/lib/avi/avi_keystore -validity 3650 -dname "CN=server.company.com, O=Dell Technologies, OU=Dell EMC, L=Irvine, S=CA, C=US" gen-ssl-cert: INFO: Successfully created tomcat in java keystore gen-ssl-cert: INFO: Restarting avinstaller service gen-ssl-cert: INFO: avinstaller service restart complete gen-ssl-cert: INFO: Restarting LDLS service gen-ssl-cert: INFO: LDLS service restart complete
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Certificate stored in file </tmp/mcssl.pem>
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Owner: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Issuer: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Serial number: d93e3be Valid from: Wed Feb 18 16:11:15 PST 2026 until: Sat Feb 16 16:11:15 PST 2036 Certificate fingerprints: SHA1: 82:82:81:B4:C9:BD:03:E1:8A:E0:AE:8A:59:55:EF:B5:1F:3B:27:5F SHA256: AC:E7:AE:CE:04:13:E0:86:88:1E:3E:FA:17:DA:B6:A5:3D:3D:74:F3:EB:70:57:63:58:B1:74:B3:50:28:EA:01 Signature algorithm name: SHA512withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3 Trust this certificate? [no]:
Select "y".Certificate was added to keystore
chmod 644 /usr/local/avamar/lib/avi/avi_keystore
chown avi:avi /usr/local/avamar/lib/avi/avi_keystore
- MCSDK:
Regenerating the Management Console Service (MCS) root certificates:
- This step updates all MCS root certificates.
- It regenerates "/usr/local/avamar/lib/avamar_keystore"
- These certificates should only be updated if they have expired or about to expire.
- It affects client backups, restores, and replication if Session Security is enabled.
- The Global Storage Area Network (GSAN) certificates must also be regenerated.
- Log in to the Avamar Utility Node as admin.
- Elevate to root privilege.
- Make a backup copy of the existing keystore:
cp -p /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore.`date +%y%m%d` - Verify that the backup copy exists:
ls -al /usr/local/avamar/lib/avamar_keystore* - Backup the MCS:
- Switch to admin.
- Run the following command to perform the backup (aka flush):
mcserver.sh --flush=== BEGIN === check.mcs (preflush) check.mcs passed === PASS === check.mcs PASSED OVERALL (preflush) Flushing Administrator Server... Administrator Server flushed.
- Type "exit" to return to the session as root.
- The keystore can be updated using GoAV OR by running commands on Avamar:
GoAV command (and sample output):
./goav security keystore regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav security keystore ║ ║ regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select Keystore to Regenerate ┃ RMI_SSL_KEYSTORE ┃ > AVAMAR_KEYSTORE ┃ AVI_KEYSTORE ┃ TOMCAT_KEYSTORE
(Select the AVAMAR_KEYSTORE)⣯ Stopping MCS... ... ══════════════════ Fixing Keystore Issues ══════════════════ ⢿ Fixing any AVAMAR_KEYSTORE issues... Regenerated Avamar Keystore ✓ ═══════════════════ Restarting Services ═══════════════════ ┃ MCS restart required, restart MCS? ┃ ┃ yes no ←/→ toggle • enter submit • y yes • n no
(Select "yes")
If the following is received:unable to take mcs flush: The Administrator Server is not running. ERROR: Cannot flush the Administrator Server while it is not running. Start the Administrator Server first.
Manually restart MCS by running the following command as admin:mcserver.sh --start-- Or --
Avamar Commands (and sample output):
mv /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore-$(date -I)
mcrootca allINFO: Executing mcrootca... INFO: Initializing, may take a few moments... INFO: Generating, saving and verifying MC EC root key and certificate... INFO: Successfully generated, saved and verified MC EC root key and certificate. INFO: Generating and saving EC TLS key and certificate... INFO: Successfully generated and saved EC TLS key and certificate. INFO: Verifying EC TLS certificate... INFO: Successfully verified EC TLS certificate. INFO: Test loading EC CA certificate(s)... INFO: Successfully loaded EC CA certificate(s)... INFO: Verifying EC CA certificate(s)... INFO: Successfully verified EC CA certificate(s)... INFO: Setting EC root key and certificate as new... INFO: Successfully set EC root key and certificate as new. INFO: Generating, saving and verifying MC RSA root key and certificate... INFO: Successfully generated, saved and verified MC RSA root key and certificate. INFO: Generating and saving RSA TLS key and certificate... INFO: Successfully generated and saved RSA TLS key and certificate. INFO: Verifying RSA TLS certificate... INFO: Successfully verified RSA TLS certificate. INFO: Test loading RSA CA certificate(s)... INFO: Successfully loaded RSA CA certificate(s)... INFO: Verifying RSA CA certificate(s)... INFO: Successfully verified RSA CA certificate(s)... INFO: Test loading TLS certificate... INFO: Successfully loaded TLS certificate. INFO: Verifying TLS certificate... INFO: Successfully verified TLS certificate. INFO: Setting RSA root key and certificate as new... INFO: Successfully set RSA root key and certificate as new. INFO: mcrootca exited with return value = 0
As admin:
mcserver.sh --stop
mcserver.sh --start - Regenerate the GSAN certificates:
- Backup the "/usr/local/avamar/etc" directory:
tar -cvf /home/admin/avamar_etc_bk.`date +%y%m%d` /usr/local/avamar/etc/ - Run the following command:
enable_secure_config.sh --certs
- Backup the "/usr/local/avamar/etc" directory:
- Update the Data Domain (DD) certificate store:
This can again be done using the GoAV utility, or manually.
GoAV command and sample output:
./goav dd check-ssl --fix╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav dd check-ssl --fix ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ Session Security Enabled PASSED DDR Security Feature Manual Flag PASSED DDR Host Cert Auto Refresh Flag PASSED GSAN Cert Chain Expiration PASSED GSAN Server Cert Expiration PASSED Get Attached Data Domains PASSED Check DDR Key exists PASSED Test Port 22: dl003.company.com PASSED Test ddr_key ssh auth: dl003.company.com PASSED DD/Avamar time difference: dl003.company.com PASSED DD SCP enabled: dl003.company.com PASSED DD NFS enabled: dl003.company.com PASSED DD system passphrase is set: dl003.company.com PASSED DD imported-host ddboost: dl003.company.com PASSED DD host issuer is attached: dl003.company.com PASSED Av chain.pem imported to DD: dl003.company.com FAILED avamar gsan chain.pem does not exist on Data Domain TASK: Delete imported-host ddboost DONE TASK: Load gsan chain depth 0 DONE TASK: Delete imported ca/login auth DONE TASK: Restart ddboost DONE TASK: Stop MCS DONE TASK: Start MCS DONE TASK: Sync Data Domain DONE Backup Scheduler Status FAILED Removed /usr/local/avamar/etc/10.n.n.16 ✓ Removed /usr/local/avamar/etc/client/10.n.n.16 ✓ Generating new certificates... "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 2025/01/18-18:20:51.46677 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 2026/02/18-18:20:52.13501 [avagent] Config: VARDIR=/usr/local/avamar/var, HOMEDIR=/root 2026/02/18-18:20:52.13506 [avagent] Looking for flag file "/usr/local/avamar/var/avamar.cmd" 2026/02/18-18:20:52.13509 [avagent] Looking for flag file "/usr/local/avamar/var/avagent.cmd" 2026/02/18-18:20:52.13517 [avagent] Looking for flag file "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client 2026/02/18-18:20:52.14446 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/client/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/client/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 Generated certificates for 10.n.n.16 ✓ Testing Avtar connection... avtar Info <5551>: Command Line: /usr/local/avamar/bin/avtar.bin --flagfile=/usr/local/avamar/etc/usersettings.cfg --server=avacrk003 --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --id=root --password=**************** --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --sysdir=/usr/local/avamar/etc --backups --account=/MC_BACKUPS --count=10 --encrypt=tls avtar Info <7977>: Starting at 2026-02-18 18:20:53 GMT [avtar Dec 8 2023 07:07:43 19.10.100-135 Linux-x86_64] avtar Info <6555>: Initializing connection avtar Info <5552>: Connecting to Avamar Server (avacrk003) avtar Info <5554>: Connecting to one node in each datacenter avtar Info <5583>: Login User: "root", Domain: "default", Account: "/MC_BACKUPS" avtar Info <5580>: Logging in on connection 0 (server 0) avtar Info <5582>: Avamar Server login successful avtar Info <10632>: Using Client-ID='6638d648ef621aa9dc20be40ab49e0820dac9b39' avtar Info <5550>: Successfully logged into Avamar Server [19.10.0-135] avtar Info <19849>: Selecting 10 backups avtar Info <7377>: Backups for /MC_BACKUPS as of 2025-11-25 18:20:53 GMT avtar Info <5314>: Command completed (exit code 0: success) Date Time Seq Label Size Plugin Working directory Targets 2026-02-18 18:15:56 3726 2034984K Linux /usr/local/avamar var/mc/server_data 2026-02-17 18:08:30 3725 2034952K Linux /usr/local/avamar var/mc/server_data 2026-02-16 17:31:43 3724 2033952K Linux /usr/local/avamar var/mc/server_data 2026-02-15 08:00:31 3723 1035390K Linux /usr/local/avamar var/mc/server_data 2026-02-14 07:45:20 3722 1035346K Linux /usr/local/avamar var/mc/server_data 2026-02-13 08:00:29 3721 1035313K Linux /usr/local/avamar var/mc/server_data 2026-02-12 07:45:19 3720 1035269K Linux /usr/local/avamar var/mc/server_data 2026-02-11 08:00:30 3719 1035419K Linux /usr/local/avamar var/mc/server_data 2026-02-10 07:45:18 3718 1035377K Linux /usr/local/avamar var/mc/server_data 2026-02-09 08:00:30 3717 1035511K Linux /usr/local/avamar var/mc/server_data
-- Or --
Manual Steps:- Follow "Scenario 1" the resolution path article Avamar: DD Showing Red in Avamar AUI
- Generate a new set of client certificates for avtar if they exist:
Check for client certificates in BOTH "/usr/local/avamar/etc" and "/usr/local/avamar/etc/client":
cd /usr/local/avamar/etc/$(hostname -i)
cd /usr/local/avamar/etc/client/$(hostname -i)
If both commands report "No such file or directory", it means that Avamar is not using the client certificate. Go to Step 9.
If either directories exist, follow steps c-e below. - Remove the existing client certificate directory:
Caution: Copy the command below as shown. DO NOT MODIFY THEM.
rm -r /usr/local/avamar/etc/$(hostname -i)
rm -r /usr/local/avamar/etc/client/$(hostname -i) - Generate a new set of client certificates for avtar only for the existing directories from above:
avagent.bin --gencerts=true --mcsaddr=$(hostname -i)
avagent.bin --gencerts=true --mcsaddr=$(hostname -i) --sysdir=/usr/local/avamar/etc/client - Test a connection to confirm if avtar can connect to the GSAN:
avtar --backups --path=/MC_BACKUPS --count=5 --encrypt=tls
- Re-register the clients and VMware proxies.
- Re-register the agent-based clients:
mccli client re-register-all - Re-register the VMware proxies by rebooting them centrally from Avamar:
mccli mcs reboot-proxy --all
- Re-register the agent-based clients:
Regenerating all certificates:
All certificate and keystores documented above are regenerated.
- Log in to the Avamar Utility Node as admin.
- Elevate to root privilege.
- Make a backup copy of the existing keystores:
cp -p /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore.`date +%y%m%d` cp -p /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore.`date +%y%m%d` cp -p /home/tomcat/.keystore /home/tomcat/.keystore.`date +%y%m%d` cp -p /etc/apache2/ssl.crt/server.crt /etc/apache2/ssl.crt/server.crt.`date +%y%m%d` cp -p /etc/apache2/ssl.key/server.key /etc/apache2/ssl.key/server.key.`date +%y%m%d` cp -p /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore.`date +%y%m%d`
(Substitute /home/admin/.keystore for /home/tomcat/.keystore in Avamar 19.4 and lower) - Verify that the backup copies exist:
ls -al /usr/local/avamar/lib/rmi_ssl_keystore* ls -al /usr/local/avamar/lib/avi/avi_keystore* ls -al /home/tomcat/.keystore* ls -al /etc/apache2/ssl.crt/server.crt* ls -al /etc/apache2/ssl.key/server.key* ls -al /usr/local/avamar/lib/avamar_keystore*
(Substitute /home/admin/.keystore for /home/tomcat/.keystore in Avamar 19.4 and lower) - Backup the MCS:
- Switch to admin.
- Run the following command to perform the backup (aka flush):
mcserver.sh --flush=== BEGIN === check.mcs (preflush) check.mcs passed === PASS === check.mcs PASSED OVERALL (preflush) Flushing Administrator Server... Administrator Server flushed.
- Type exit to return to the session as root.
- GoAV can be used to regenerate all keystores at once. Alternatively, the commands can be run on Avamar.
GoAV commands and sample outputs:- Regenerate all keystores:
./goav security keystore regenerate --all╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 19 Feb 2026 05:33 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:./goav security keystore regenerate --all ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ⣯ Stopping MCS... ... Regenerated RMI Keystore ✓ Regenerated Avamar Keystore ✓ Regenerated Avi Keystore ✓ Regenerated Tomcat Keystore ✓ ══════ Loading vCenter Certificates into RMI Keystore ══════ ═══════════════════ Restarting Services ═══════════════════ ┃ MCS restart required, restart MCS? ┃ ┃ yes no
(Select "yes")
If the following is received:unable to take mcs flush: The Administrator Server is not running. ERROR: Cannot flush the Administrator Server while it is not running. Start the Administrator Server first.
Manually restart MCS by running the following command as admin:mcserver.sh --start - Apache certificate:
./goav security certificate apache regenerate╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 04:52 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:./goav security certificate apache regenerate ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ ┃ Select a Key Size in bits: ┃ > 2048 ┃ 3072 ┃ 4096
(Select the required key size, or take the default of 2048)Apache x509 Certificate Configuration ------------------------------------- Apache Private Key ------------------ Location /etc/apache2/ssl.key/server.key Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Apache Server Cert ------------------ Location /etc/apache2/ssl.crt/server.crt Serial 129741042722659803976190762572696306257 Subject C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Issuer C=US, ST=Texas, L=Round Rock, O=Dell Technologies, CN=server.company.com Valid Range YYYY/MM/DD - valid from: 2026/02/18, valid to: 2028/02/18 Modulus MD5sum 0d35d9c14239093d4f5e28bd5f2f98c8 Key Size 2048 Subject Alt Names server.company.com
Avamar commands and sample outputs:- MCS Root certificates:
mv /usr/local/avamar/lib/avamar_keystore /usr/local/avamar/lib/avamar_keystore-$(date -I)
mcrootca allINFO: Executing mcrootca... INFO: Initializing, may take a few moments... INFO: Generating, saving and verifying MC EC root key and certificate... INFO: Successfully generated, saved and verified MC EC root key and certificate. INFO: Generating and saving EC TLS key and certificate... INFO: Successfully generated and saved EC TLS key and certificate. INFO: Verifying EC TLS certificate... INFO: Successfully verified EC TLS certificate. INFO: Test loading EC CA certificate(s)... INFO: Successfully loaded EC CA certificate(s)... INFO: Verifying EC CA certificate(s)... INFO: Successfully verified EC CA certificate(s)... INFO: Setting EC root key and certificate as new... INFO: Successfully set EC root key and certificate as new. INFO: Generating, saving and verifying MC RSA root key and certificate... INFO: Successfully generated, saved and verified MC RSA root key and certificate. INFO: Generating and saving RSA TLS key and certificate... INFO: Successfully generated and saved RSA TLS key and certificate. INFO: Verifying RSA TLS certificate... INFO: Successfully verified RSA TLS certificate. INFO: Test loading RSA CA certificate(s)... INFO: Successfully loaded RSA CA certificate(s)... INFO: Verifying RSA CA certificate(s)... INFO: Successfully verified RSA CA certificate(s)... INFO: Test loading TLS certificate... INFO: Successfully loaded TLS certificate. INFO: Verifying TLS certificate... INFO: Successfully verified TLS certificate. INFO: Setting RSA root key and certificate as new... INFO: Successfully set RSA root key and certificate as new. INFO: mcrootca exited with return value = 0
As admin:
mcserver.sh --stop
mcserver.sh --start - MCSCK
mv /usr/local/avamar/lib/rmi_ssl_keystore /usr/local/avamar/lib/rmi_ssl_keystore-$(date -I)keytool -genkeypair -v -alias mcssl -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
keytool -genkeypair -v -alias mcjwt -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keystore /usr/local/avamar/lib/rmi_ssl_keystore -validity 3650 -dname "CN=$(hostname -f), OU=Avamar, O=DELL-EMC, L=Irvine, ST=California, C=US" -storepass `ask_pass -r keystore_passphrase` -keypass `ask_pass -r keystore_passphrase` -noprompt
chown root:admin /usr/local/avamar/lib/rmi_ssl_keystore
chmod 660 /usr/local/avamar/lib/rmi_ssl_keystore
As admin:
mcserver.sh --stop
mcserver.sh --start - Tomcat:
- Set the tomcat_keystore variable:
For Avamar v19.7 and later:
TOMCAT_KEYSTORE=/home/tomcat/.keystore
For Avamar 19.4 and below:
TOMCAT_KEYSTORE=/home/admin/.keystore - Regenerate the Tomcat keystore by running the following commands:
mv $TOMCAT_KEYSTORE /home/admin/tomcat_keystore.bak
keytool -genkeypair -v -alias tomcat -keyalg RSA -sigalg SHA256withRSA -keysize 3072 -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) -validity 3650 -dname "CN=$(hostname -f), OU=Dell EMC, O=Dell Technologies, L=Irvine, ST=California, C=US"
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore $TOMCAT_KEYSTORE -storepass $(avlockbox.sh -r keystore_passphrase) - Update the permissions and ownership of the keystore:
For Avamar v19.7 and later:
chmod 640 $TOMCAT_KEYSTORE
chown root:tomcat $TOMCAT_KEYSTORE
For Avamar 19.4 and below:
chmod 740 $TOMCAT_KEYSTORE
chown admin:admin $TOMCAT_KEYSTORE
- Set the tomcat_keystore variable:
- AVI (The service automatically restarts):
mv /usr/local/avamar/lib/avi/avi_keystore /usr/local/avamar/lib/avi/avi_keystore-$(date -I)
gen-ssl-cert --norestart --noupdateapache --updateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verbosegen-ssl-cert: INFO: Regenerating avinstaller SSL certifcate keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA512withRSA -keysize 3072 -keypass ######### -storepass ########## -keystore /usr/local/avamar/lib/avi/avi_keystore -validity 3650 -dname "CN=server.company.com, O=Dell Technologies, OU=Dell EMC, L=Irvine, S=CA, C=US" gen-ssl-cert: INFO: Successfully created tomcat in java keystore gen-ssl-cert: INFO: Restarting avinstaller service gen-ssl-cert: INFO: avinstaller service restart complete gen-ssl-cert: INFO: Restarting LDLS service gen-ssl-cert: INFO: LDLS service restart complete
keytool -export -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/rmi_ssl_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Certificate stored in file </tmp/mcssl.pem>
keytool -import -file /tmp/mcssl.pem -alias mcssl -keystore /usr/local/avamar/lib/avi/avi_keystore -storepass $(avlockbox.sh -r keystore_passphrase)Owner: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Issuer: CN=server.company.com, OU=Avamar, O=Dell, L=Irvine, ST=California, C=US Serial number: d93e3be Valid from: Wed Feb 18 16:11:15 PST 2026 until: Sat Feb 16 16:11:15 PST 2036 Certificate fingerprints: SHA1: 82:82:81:B4:C9:BD:03:E1:8A:E0:AE:8A:59:55:EF:B5:1F:3B:27:5F SHA256: AC:E7:AE:CE:04:13:E0:86:88:1E:3E:FA:17:DA:B6:A5:3D:3D:74:F3:EB:70:57:63:58:B1:74:B3:50:28:EA:01 Signature algorithm name: SHA512withRSA Subject Public Key Algorithm: 3072-bit RSA key Version: 3 Trust this certificate? [no]:
Select "y".Certificate was added to keystore
chmod 644 /usr/local/avamar/lib/avi/avi_keystore
chown avi:avi /usr/local/avamar/lib/avi/avi_keystore - Apache certificate:
gen-ssl-cert --updateapache --noupdateavi --keystorepwd=$(avlockbox.sh -r keystore_passphrase) --verboseopenssl genrsa -out /tmp/gen-ssl-cert-server.key.9085 3072 Generating RSA private key, 3072 bit long modulus e is 65537 (0x10001) openssl req -new -key /tmp/gen-ssl-cert-server.key.9085 -out /tmp/gen-ssl-cert-server.csr.9085 < /tmp/gen-ssl-cert-answers.9085 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ... |-30200 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start `-30206 /usr/sbin/httpd-prefork -DSYSCONFIG -DSSL -C PidFile /var/run/httpd.pid -C Include /etc/apache2/sysconfig.d//loadmodule.conf -C Include /etc/apache2/sysconfig.d//global.conf -f /etc/apache2/httpd.conf -c Include /etc/apache2/sysconfig.d//include.conf -DSYSTEMD -DFOREGROUND -k start Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. /sbin/service apache2 stop /sbin/service apache2 start
- Regenerate all keystores:
- Regenerate the GSAN certificates:
- Backup the "/usr/local/avamar/etc" directory:
tar -cvf /home/admin/avamar_etc_bk.`date +%y%m%d` /usr/local/avamar/etc/ - Run the following command:
enable_secure_config.sh --certs
- Backup the "/usr/local/avamar/etc" directory:
- Update the Data Domain (DD) certificate store:
This can again be done using the GoAV utility, or manually.
GoAV command and sample output:
./goav dd check-ssl --fix╔════════════════════════════════════════════════════════╗ ║ GoAV v2.02 ║ ╟────────────────────────────────────────────────────────╢ ║ Build : 02 Feb 2026 19:03 UTC ║ ║ Date : 18 Feb 2026 05:37 UTC ║ ║ Avamar: 19.4.100-124 ║ ╟────────────────────────────────────────────────────────╢ ║ Command:/home/admin/20260218/goav dd check-ssl --fix ║ ╟────────────────────────────────────────────────────────╢ ║ NOTE: This tool was created and is maintained ║ ║ by the ISG Support Tools team. ║ ╚════════════════════════════════════════════════════════╝ Session Security Enabled PASSED DDR Security Feature Manual Flag PASSED DDR Host Cert Auto Refresh Flag PASSED GSAN Cert Chain Expiration PASSED GSAN Server Cert Expiration PASSED Get Attached Data Domains PASSED Check DDR Key exists PASSED Test Port 22: dl003.company.com PASSED Test ddr_key ssh auth: dl003.company.com PASSED DD/Avamar time difference: dl003.company.com PASSED DD SCP enabled: dl003.company.com PASSED DD NFS enabled: dl003.company.com PASSED DD system passphrase is set: dl003.company.com PASSED DD imported-host ddboost: dl003.company.com PASSED DD host issuer is attached: dl003.company.com PASSED Av chain.pem imported to DD: dl003.company.com FAILED avamar gsan chain.pem does not exist on Data Domain TASK: Delete imported-host ddboost DONE TASK: Load gsan chain depth 0 DONE TASK: Delete imported ca/login auth DONE TASK: Restart ddboost DONE TASK: Stop MCS DONE TASK: Start MCS DONE TASK: Sync Data Domain DONE Backup Scheduler Status FAILED Removed /usr/local/avamar/etc/10.n.n.16 ✓ Removed /usr/local/avamar/etc/client/10.n.n.16 ✓ Generating new certificates... "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 2025/01/18-18:20:51.46677 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 2026/02/18-18:20:52.13501 [avagent] Config: VARDIR=/usr/local/avamar/var, HOMEDIR=/root 2026/02/18-18:20:52.13506 [avagent] Looking for flag file "/usr/local/avamar/var/avamar.cmd" 2026/02/18-18:20:52.13509 [avagent] Looking for flag file "/usr/local/avamar/var/avagent.cmd" 2026/02/18-18:20:52.13517 [avagent] Looking for flag file "/usr/local/avamar/var/.avagent" avagent Info <19803>: Ignoring the --service flag. avagent Info <5702>: Command Line: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client avagent Info <5703>: Parsed Flags: avagent.bin --gencerts=true --mcsaddr=10.n.n.16 --sysdir=/usr/local/avamar/etc/client 2026/02/18-18:20:52.14446 [avagent] <1291> FIPS mode enabled avagent Info <42249>: Checking for stale certificate lock avagent Info <19805>: Creating directory '/usr/local/avamar/etc/client/10.n.n.16' for certificates avagent Info <19807>: Creating certificates in '/usr/local/avamar/etc/client/10.n.n.16' avagent Info <43701>: agent_message::resolve_client_ip ping to MCS 10.n.n.16:10.n.n.16 using local IP:(none) failed, Program malfunction, Parse bind IP failed for IP: (none) avagent Info <18918>: Registration: Processing secure registration with the MCS. avagent Info <18921>: Registration: Requesting root CA from the MCS. avagent Info <18926>: Registration: Saving root CA. avagent Info <18928>: Registration: Creating certificate signing request. avagent Info <18930>: Registration: Sending the certificate signing request to the MCS. avagent Info <18932>: Registration: Saving client certificate. avagent Info <18934>: Registration: Secure registration complete. avagent Info <41048>: Requesting network configuration from the MCS. avagent Info <5405>: avagent returning with exitcode 0 Generated certificates for 10.n.n.16 ✓ Testing Avtar connection... avtar Info <5551>: Command Line: /usr/local/avamar/bin/avtar.bin --flagfile=/usr/local/avamar/etc/usersettings.cfg --server=avacrk003 --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --id=root --password=**************** --vardir=/usr/local/avamar/var --bindir=/usr/local/avamar/bin --sysdir=/usr/local/avamar/etc --backups --account=/MC_BACKUPS --count=10 --encrypt=tls avtar Info <7977>: Starting at 2026-02-18 18:20:53 GMT [avtar Dec 8 2023 07:07:43 19.10.100-135 Linux-x86_64] avtar Info <6555>: Initializing connection avtar Info <5552>: Connecting to Avamar Server (avacrk003) avtar Info <5554>: Connecting to one node in each datacenter avtar Info <5583>: Login User: "root", Domain: "default", Account: "/MC_BACKUPS" avtar Info <5580>: Logging in on connection 0 (server 0) avtar Info <5582>: Avamar Server login successful avtar Info <10632>: Using Client-ID='6638d648ef621aa9dc20be40ab49e0820dac9b39' avtar Info <5550>: Successfully logged into Avamar Server [19.10.0-135] avtar Info <19849>: Selecting 10 backups avtar Info <7377>: Backups for /MC_BACKUPS as of 2025-11-25 18:20:53 GMT avtar Info <5314>: Command completed (exit code 0: success) Date Time Seq Label Size Plugin Working directory Targets 2026-02-18 18:15:56 3726 2034984K Linux /usr/local/avamar var/mc/server_data 2026-02-17 18:08:30 3725 2034952K Linux /usr/local/avamar var/mc/server_data 2026-02-16 17:31:43 3724 2033952K Linux /usr/local/avamar var/mc/server_data 2026-02-15 08:00:31 3723 1035390K Linux /usr/local/avamar var/mc/server_data 2026-02-14 07:45:20 3722 1035346K Linux /usr/local/avamar var/mc/server_data 2026-02-13 08:00:29 3721 1035313K Linux /usr/local/avamar var/mc/server_data 2026-02-12 07:45:19 3720 1035269K Linux /usr/local/avamar var/mc/server_data 2026-02-11 08:00:30 3719 1035419K Linux /usr/local/avamar var/mc/server_data 2026-02-10 07:45:18 3718 1035377K Linux /usr/local/avamar var/mc/server_data 2026-02-09 08:00:30 3717 1035511K Linux /usr/local/avamar var/mc/server_data
-- Or --
Manual Steps:- Follow "Scenario 1" the resolution path article Avamar: DD Showing Red in Avamar AUI
- Generate a new set of client certificates for avtar if they exist:
Check for client certificates in BOTH "/usr/local/avamar/etc" and "/usr/local/avamar/etc/client":
cd /usr/local/avamar/etc/$(hostname -i)
cd /usr/local/avamar/etc/client/$(hostname -i)
If both commands report "No such file or directory", it means that Avamar is not using the client certificate. Go to Step 9.
If either directories exist, follow steps c-e below. - Remove the existing client certificate directory:
Caution: Copy the command below as shown. DO NOT MODIFY THEM.
rm -r /usr/local/avamar/etc/$(hostname -i)
rm -r /usr/local/avamar/etc/client/$(hostname -i) - Generate a new set of client certificates for avtar only for the existing directories from above:
avagent.bin --gencerts=true --mcsaddr=$(hostname -i)
avagent.bin --gencerts=true --mcsaddr=$(hostname -i) --sysdir=/usr/local/avamar/etc/client - Test a connection to confirm if avtar can connect to the GSAN:
avtar --backups --path=/MC_BACKUPS --count=5 --encrypt=tls
- Re-register the clients and VMware proxies.
- Re-register the agent-based clients:
mccli client re-register-all - Re-register the VMware proxies by rebooting them centrally from Avamar:
mccli mcs reboot-proxy --all
- Re-register the agent-based clients:
Affected Products
Avamar, Avamar ServerProducts
Data DomainArticle Properties
Article Number: 000188770
Article Type: How To
Last Modified: 10 May 2026
Version: 30
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.