Updating the CA Certificate

This procedure describes how to update the CA certificate file by adding it to the Tomcat configuration.

Before you begin

• Verify that a new CA certificate is available, as described in Creating a CA Certificate and Key.

Begin

1. Verify that that the name of the new CA certificate is the same as the original CA certificate.

   NOTE: If the names are different, run one of the following:

   • UNIX:

     em bmcpython $HOME/ctm_em/bin/generate_ssl_certificate.py addToTruststore --rootCert <ca_cert_path> --passphrase <keystore_pass> --truststore $HOME/ctm_em/ini/ssl/tomcatclient.jks

   • Windows:

     bmcpython "%EM_HOME%\bin\generate_ssl_certificate.py" addToTruststore --rootCert <ca_cert_path> --passphrase <keystore_pass> --truststore "%EM_HOME%\ini\ssl\tomcatclient.jks"

2. Restart Kibana and Tomcat.
3. On all distributed computers, run the following command:

   em bmcpython $HOME/ctm_em/bin/generate_ssl_certificate.py generateCert --rootCert /home/dbauser/ctm_em/ini/ssl/elastic_ca.pem --rootKey /home/dbauser/ctm_em/ini/ssl/elastic_ca_key.pem -- outFolder /home/dbauser/ctm_em/ini/ssl --certificateName new_kibana --subject /C=US/ST=Texas/L=Houston/O=BMC_Software_Ltd/CN=<hostname>

4. Place the CA certificate in one of the following Kibana folders:
   • UNIX: $EM_HOME/ini/ssl/
   • Windows: %EM_HOME%\ini\ssl
5. In the kibana.yml file in the config folder, update the elasticsearch.ssl.certificateAuthorities property with the list of paths to CA certificates.

   EXAMPLE: elasticsearch.ssl.certificateAuthorities: ['/home/em/ctm_em/ini/ssl/new_kibana_ca.pem']

6. Place the CA certificate in one of the following Tomcat folders:
   • UNIX:

     em bmcpython $HOME/ctm_em/bin/generate_ssl_certificate.py addToTruststore --rootCert <ca_cert_path> --passphrase <keystore_pass> --truststore $HOME/ctm_em/ini/ssl/tomcatclient.jks

   • Windows:

     bmcpython "%EM_HOME%\bin\generate_ssl_certificate.py" addToTruststore --rootCert <ca_cert_path> --passphrase <keystore_pass> --truststore "%EM_HOME%\ini\ssl\tomcatclient.jks"

   NOTE: The default key store password is: changeit

7. Restart Kibana.

   NOTE: If the JKS of Tomcat was changed, you must restart Tomcat.