- Print
- PDF
Getting a Signed Certificate for Skylight orchestrator
This article provides the procedures required to deploy a signed certificate to the application server of the Skylight orchestrator.
By default, the product ships with a self-signed certificate produced by Accedian. If your organization prefers to use a trusted certificate from a third-party Certificate Authority (CA), you should perform the procedures in this application note.
Organization
This section is organized according to the main steps required to obtain a trusted certificate and deploy it to the Skylight orchestrator:
- Stop the Hot Standby process
- Ensure the app_server is running
- Prepare a new keystore
- Option 1: Generate a Keystore (ca_keystore) and Certificate Service Request (ca_keystore.csr). Then send the request (ca_keystore.csr) to the Certification Authority chosen by your organization (i.e. Verisign or GoDaddy)
- Option 2: Convert to a Keystore (ca_keystore) from a PFX certificate or separate certificates (server.key, server.cert and rootCA.cert)
- Update the Skylight orchestrator keystore
- Restart Skylight orchestrator
- Start the Hot Standby process
Prerequisites
At various points in these procedures, you will log into the Skylight orchestrator. In order to log in, you need the following:
- Putty or a similar terminal client
- IP address and port of the Skylight orchestrator
- Username and password for the visionems account for the Skylight orchestrator
- The Skylight orchestrator software should be running.
Notes about the Keystore
You will use a Java tool called keytool at various points in these procedures. When using keytool, you will require a keystore alias and a password. Sometimes, you will be prompted to enter a keypass (a password for a key).
You must use the default values:
- For alias, use: skylight
- For storepass, use: changeit
- For keypass, use: changeit
Stop the Hot Standby Process
Note: Skip this section if Skylight orchestrator is not configured in Hot Standby mode.
To stop the Hot Standby process
Site-A only, open an SSH terminal session to Skylight orchestrator on port 2200.
Log in as the visionems user.
Stop the Hot Standby process by entering:
redundancy control stop
CAUTION: If Skylight orchestrator is configured in Hot Standby mode, you must apply the procedure to one side at a time. Ensure you stop the app_server on the completed side before starting on the other side.
Ensure the App_Server is Running
Open an SSH terminal session to Skylight orchestrator on port 2200 and log in as the visionems user.
Check the application status:
service show
- If the app_server is stopped, start the application by entering:
service start app_server
Note: It may take up to 10 minutes for the app_server to go from starting to started.
Prepare a New Keystore
This step has two possible options:
- Option 1: Generate a Keystore (ca_keystore) and Certificate Service Request (ca_keystore.csr). Afterwards, send the request (ca_keystore.csr) to the Certification Authority chosen by your organization (i.e. Verisign or GoDaddy).
- Option 2: Convert to a Keystore (ca_keystore) from a PFX certificate or separate certificates (server.key, server.cert and rootCA.cert).
Option 1: One Certificate (p7b or pem format) File or Three Certificate (root, intermediate, server) Files
Depending on whether the certificate format is .p7b, .pem extension, or three certificate files (root, intermediate, server), you must proceed accordingly.
If you have one certificate (p7b or pem format) file or three certificate (root, intermediate, server) files, you must follow the three steps below:
1. Generating a Keystore
A Java Keystore is a container for authorization certificates or public key certificates. The Skylight orchestrator product has a default keystore that contains the existing Accedian self-signed certificate.
In this procedure, you will generate a new keystore in which to store the new certificate that you will obtain from the CA.
The name of the new keystore file will be: ca_keystore
Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.
Enter the following command to generate the new keystore for the CA certificate:
/opt/accedian/skylight/jdk/bin/keytool -keystore ca_keystore -genkey -alias skylight -keyalg RSA -keysize 2048 -storepass changeit
- When you are prompted for your first and last name, enter the fully qualified domain name of the Skylight orchestrator server (for example: vision.accedian.net):
What is your first and last name?
[Unknown]: domainName
- When you are prompted with the following questions, answer with appropriate values for your organization:
What is the name of your organizational unit?
[Unknown]: organizationalUnit
What is the name of your organization?
[Unknown]: companyName
What is the name of your City or Locality?
[Unknown]: yourCity
What is the name of your State or Province?
[Unknown]: yourState
What is the two-letter country code for this unit?
[Unknown]: yourCountryCode
- When prompted to confirm the information you just entered, enter yes or y.
Example prompt: Is CN=vision.accedian.net, OU=Certs, O=Accedian,
L=Stockholm, ST=Sweden, C=SE correct?
[no]:
2. Generating Certificate Service Request
After generating a keystore for the new certificate you want to obtain, you must generate a certificate request and this request (a file) to the Certifying Authority chosen by your organization (i.e. Verisign or GoDaddy).
Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.
Enter the following command to generate the certificate request:
/opt/accedian/skylight/jdk/bin/keytool -certreq -keyalg RSA -alias skylight -file ca_keystore.csr -keystore ca_keystore -storepass changeit
3. The certificate request file (ca_keystore.csr) is generated in the current directory (/home/visionems).
- Transfer the certificate request file to your PC and send the certificate request to your CA.
3. Importing Signed Certificate into Keystore
After you have sent your .csr file to your CA and the CA has signed the certificate, you must import the signed certificate into your CA keystore.
How you import the signed certificate(s) depends on the CA and the format of the signed certificate that the CA provides. The CA will provide guidelines on the use of their signed certificates.
Store the certificate file(s) on the Skylight orchestrator
The CA will provide the signed certificate in one of these forms:
- One certificate file (for example: PKCS7 [p7b] format)
- Three certificate files (root, intermediate, server)
You will need to transfer the certificate file or files from your CA to your computer. You can use an SCP client (such as WinSCP) to transfer the file(s) from your computer to the Skylight orchestrator.
During the transfer:
- Use the visionems username and password to log into the Skylight orchestrator.
- Store the certificate file(s) in the /tmp directory on the appliance.
Import a certificate in p7b or pem format
If your CA provided a certificate as a single file (in PKCS7 [p7b] or pem format), you just need to import the certificate file once. The name of the certificate file will depend on the CA. In the procedure, the file name is indicated as follows: certfile.p7b
Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.
Enter the following command to import the certificate file:
/opt/accedian/skylight/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/certfile.p7b -keystore ca_keystore
- If prompted to enter keystore password, enter:
changeit
- If prompted “... is not trusted. Install reply anyway? [no]”, enter:
yes
The following message indicates that the certificate was successfully imported:
Certificate reply was installed in keystore
Import certificates in other formats
If your CA did not provide a certificate in p7b format, you must import three certificates: root, intermediate and server (one by one in the order shown below).
Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.
Import the root certificate by entering:
/opt/accedian/skylight/jdk/bin/keytool -import -alias root -trustcacerts -file /tmp/rootcertfile -keystore ca_keystore
- If prompted to enter keystore password, enter:
changeit
- If prompted “Trust this certificate? [no]”, enter:
yes
- Import the intermediate certificate by entering:
/opt/accedian/skylight/jdk/bin/keytool -import -alias interm -trustcacerts -file /tmp/intercertfile -keystore ca_keystore
- If prompted to enter keystore password, enter:
changeit
- If prompted “Trust this certificate? [no]”, enter:
yes
- Import the server certificate by entering:
/opt/accedian/skylight/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/servercertfile -keystore ca_keystore
- If prompted to enter keystore password, enter:
changeit
- If prompted “... is not trusted. Install reply anyway? [no]”, enter:
yes
Option 2: Convert to a Keystore from PFX Certificate or Separate Certificates
This option requires you to convert to a Keystore (ca_keystore) from a PFX certificate or separate certificates (server.key, server.cert, rootCA.cert).
One Certificate (the pfx format) File
If you have one certificate (the pfx format) file, you must follow the three steps below:
- Convert the .pfx certificate file to the keystore (ca_keystore) file with the JKS format:
a. Enter:
/opt/accedian/skylight/jdk/bin/keytool -importkeystore -srckeystore <yourcertificatefile.pfx> -srcstoretype pkcs12 -destkeystore ca_keystore -deststoretype JKS
b. If prompted to “Enter destination keystore password”, enter:
changeit
c. If prompted to “Re-enter new password”, enter:
changeit
d. If prompted to “Enter source keystore password”, enter:
<password of your_certificate_file.pfx file>
e. Check the output, the alias is shown. This alias will be used in the next steps.
For example:
Entry for alias te-123-12232-abc23232312 successfully imported.
Import command completed: 1 entries successfully imported, 0 entries failed or cancelled
=> alias is “te-123-12232-abc23232312”
The ca_keystore file is created. It includes information and your certificate which is provided in your_certificate_file.pfx file.
- Change the password of key within the ca_keystore file to changeit. Note: You can skip this step if the password of the key within yourcertificatefile.pfx file is changeit.
a. Enter:
/opt/accedian/skylight/jdk/bin/keytool -keypasswd -alias <the alias from step 1.e> -keystore ca_keystore
b. If prompted to “Enter keystore password”, enter:
changeit
c. If prompted to “Enter key password for <the alias from step 1.e>”, enter:
<password of this key or password of your_certificate_file.pfx file>
d. If prompted with “New key password for <the alias from step 1.e>”, enter:
changeit
e. If prompted to “Re-enter new key password for <the alias from step 1.e>”, enter:
changeit
- Change the alias of key within the ca_keystore file to skylight. Note: You can skip this step if the alias from step 1.e is skylight.
a. Enter:
/opt/accedian/skylight/jdk/bin/keytool -changealias -alias <the alias from step 1.e> -destalias skylight -keystore ca_keystore -storepass changeit
Separate certificates (server.key, server.cert and rootCA.cert)
If you have separate certificates (server.cert and rootCA.cert) and private key (server.key), you must follow the three steps below:
Place all files (server.key, server.cert and rootCA.cert) in the /home/visionems folder.
Generate a keystone.pfx file using separate certificates (server.cert and rootCA.cert) and a private key (server.key). Enter:
openssl pkcs12 -export -in server.cert -inkey server.key -certfile rootCA.cert -out keystone.pfx -name skylight -passout pass:changeit
- Convert the .pfx certificate file into a keystore file (ca_keystore) in JKS format. Enter:
/opt/accedian/skylight/jdk/bin/keytool -importkeystore -srckeystore keystone.pfx -srcstoretype pkcs12 -destkeystore ca_keystore -deststoretype JKS -srcstorepass changeit -deststorepass changeit
Updating the Skylight orchestrator Keystore
At this point, we have a fully signed certificate in your new ca_keystore. We need to transfer this certificate over to the keystore used by the Skylight orchestrator.
Open an SSH session to port 22 of the Skylight orchestrator and log in using the visionems username and password.
Enter:
cd /opt/accedian/skylight/glassfish/glassfish/domains/skylightdomain/config
- Backup the keystore.jks file:
cp keystore.jks keystore.jks.bk
- Copy the certificates to the Skylight orchestrator Web UI keystore:
/opt/accedian/skylight/jdk/bin/keytool -importkeystore -srckeystore /home/visionems/ca_keystore -destkeystore ./keystore.jks
- If prompted to enter keystore password, enter:
changeit
- If prompted, "Existing entry alias skylight exists, overwrite? [no]:", enter:
yes
Note: Skip steps 7 to 10 if using Skylight orchestrator version 21.08 or later.
- Start an asadmin session:
/opt/accedian/skylight/glassfish/bin/asadmin -p 5048
- At the asadmin prompt, enter:
set nbiconfig.network-config.protocols.protocol.http-listener2.ssl.cert-nickname=skylight
- At the asadmin prompt, enter:
set bizconfig.network-config.protocols.protocol.http-listener2.ssl.cert-nickname=skylight
- At the asadmin prompt, enter:
exit
Restarting Skylight orchestrator
In order for the new certificate to take effect, Skylight orchestrator must be restarted.
Open an SSH terminal session to the Skylight orchestrator on port 2200 and log in as the visionems user.
Restart the application by entering:
service restart app_server
Verify that the new certificate has been applied.
If Skylight orchestrator is configured in Hot Standby mode, stop the app_server before importing the new certificate on the other side by entering:
service stop app_server
Starting the Hot Standby process
Note: Skip this section if Skylight orchestrator is not configured in Hot Standby mode.
To start the application for Hot Standby configuration after successfully importing new certificate on both sites
Open an SSH terminal session to the Skylight orchestrator designated as the preferred active site on port 2200.
Log in as the visionems user.
Set the preferred site to the last active site, enter:
redundancy config preferred {site-a | site-b}
- Start the Hot Standby process, enter:
redundancy control start
- Verify redundancy status, enter:
redundancy show status
© 2025 Cisco and/or its affiliates. All rights reserved.
For more information about trademarks, please visit: Cisco trademarks
For more information about legal terms, please visit: Cisco legal terms
For legal information about Accedian Skylight products, please visit: Accedian legal terms and tradmarks