Getting a Signed Certificate for Legacy Orchestrator

This article provides the procedures required to deploy a signed certificate to the Legacy Orchestrator.

By default, the product ships with a self-signed certificate produced by Cisco. If your organization prefers to use a trusted certificate from a third-party Certificate Authority (CA), you should perform the procedures in this article.

Organization

This section is organized according to the main steps required to obtain a trusted certificate and deploy it to the Legacy Orchestrator:

• Ensure the services are stopped
• Prepare a new keystore
  • Option 1: Generate a Keystore (ca_keystore) and Certificate Service Request (ca_keystore.csr). Then send the request (ca_keystore.csr) to the Certification Authority chosen by your organization (i.e. Verisign or GoDaddy)
  • Option 2: Convert to a Keystore (ca_keystore) from a PFX certificate or separate certificates (server.key, server.cert and rootCA.cert)
• Update the Legacy Orchestrator keystore (ca_keystore)
• Restart Legacy Orchestrator to apply the configuration

Prerequisites

At various points in these procedures, you will log into the Legacy Orchestrator. To log in, you need the following:

• Putty or a similar terminal client
• IP address and port of the Legacy Orchestrator
• Username and password for the skylight account for the Legacy Orchestrator

Notes About the Keystore

You will use a Java tool called keytool at various points in these procedures. When using keytool, you will need a keystore alias and a password. Sometimes, you will be prompted to enter a keypass (a password for a key).

You must use the default values:

• For alias, use: skylight
• For storepass, use: changeit
• For keypass, use: changeit

Stop the Hot Standby Process

Note: Skip this section if Legacy Orchestrator is not configured in Hot Standby mode.

1. Open an SSH terminal session to Legacy Orchestrator on port 2200 and log in as the skylight user.
2. Check the system status:

redundancy show status

3. If the redundancy is started, stop the system by entering:

redundancy control stop

Ensure the Services Are Started

1. Open an SSH terminal session to Legacy Orchestrator on port 2200 and log in as the skylight user.

2. Check the services status:

services status

3. If the services are stopped, start all services by entering:

services start

Prepare a New Keystore

This step has two possible options:

• Option 1: Generate a Keystore (ca_keystore) and Certificate Service Request (ca_keystore.csr). Afterwards, send the request (ca_keystore.csr) to the Certification Authority chosen by your organization (i.e. Verisign or GoDaddy).

• Option 2: Convert to a Keystore (ca_keystore) from a PFX certificate or separate certificates (server.key, server.cert and rootCA.cert).

Option 1: One Certificate (p7b or pem format) File or Three Certificate (root, intermediate, server) Files

Depending on whether the certificate format is .p7b, .pem extension, or three certificate files (root, intermediate, server), you must proceed accordingly.

If you have one certificate (p7b or pem format) file or three certificate (root, intermediate, server) files, you must follow the three steps below.

Generating a Keystore

A Java Keystore is a container for authorization certificates or public key certificates. The Legacy Orchestrator product has a default keystore that contains the existing Cisco self-signed certificate.

In this procedure, you will generate a new keystore in which to store the new certificate that you will obtain from the CA.

The name of the new keystore file will be ca_keystore.

1. Open an SSH terminal session to the Legacy Orchestrator on port 22.

2. Log in as the skylight user.

3. Generate the new keystore for the CA certificate by entering:

/home/skylight/so/lib/jdk/bin/keytool -keystore ca_keystore -genkey -alias skylight -keyalg RSA -keysize 2048 -storepass changeit

4. When you are prompted for your first and last name, enter the fully qualified domain name of the Legacy Orchestrator server (for example: vision.accedian.net):

What is your first and last name? 
     [Unknown]: domainName

5. When you are prompted with the following questions, answer with appropriate values for your organization:

What is the name of your organizational unit? 
   [Unknown]: organizationalUnit 
What is the name of your organization? 
   [Unknown]: companyName 
What is the name of your city or Locality? 
   [Unknown]: yourCity 
What is the name of your State or Province? 
   [Unknown]: yourState 
What is the two-letter country code for this unit? 
   [Unknown]: yourCountryCode

6. When prompted to confirm the information you just entered, enter yes or y.

Example prompt: Is CN=vision.accedian.net, OU=Certs, O=Accedian, 
L=Stockholm, ST=Sweden, C=SE, correct? 
[no]:

Generating Certificate Service Request

After generating a keystore for the new certificate you want to obtain, you must generate a certificate request and submit this request (a file) to the Certifying Authority chosen by your organization (e.g., Verisign or GoDaddy).

1. Open an SSH terminal session to the Legacy Orchestrator on port 22.

2. Log in as the skylight user.

3. Generate the certificate request by entering:

/home/skylight/so/lib/jdk/bin/keytool -certreq -keyalg RSA -alias skylight -file ca_keystore.csr -keystore ca_keystore -storepass changeit

4. The certificate request file (ca_keystore.csr) is generated in the current directory (/home/skylight/so).

5. Transfer the certificate request file to your personal computer and send the certificate request to your CA.

Importing Signed Certificate into Keystore

After you have sent your .csr file to your CA and the CA has signed the certificate, you must import the signed certificate into your CA keystore.

How you import the signed certificate(s) depends on the CA and the format of the signed certificate that the CA provides. The CA will provide guidelines on the use of their signed certificates.

Store the certificate file(s) on the Legacy Orchestrator

The CA will provide the signed certificate in one of these forms:

• One certificate file (for example: PKCS7 [p7b] format)
• Three certificate files (root, intermediate, server)

You will need to transfer the certificate file or files from your CA to your computer. You can use an SCP client (such as WinSCP) to transfer the file(s) from your computer to the Legacy Orchestrator.

During the transfer:

• Use the skylight username and password to log into the Legacy Orchestrator.
• Store the certificate file(s) in the /tmp directory on the appliance.
• Ensure the file is owned by the skylight user.

Import a certificate in p7b or pem format

If your CA provided a certificate as a single file (in PKCS7 [p7b] or pem format), you just need to import the certificate file once. The name of the certificate file will depend on the CA. In the procedure, the file name is indicated as follows: certfile.p7b

1. Open an SSH terminal session to the Legacy Orchestrator on port 22.

2. Log in as the skylight user.

3. Enter the following command to import the certificate file:

/home/skylight/so/lib/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/cert_file.p7b -keystore ca_keystore

4. If prompted to enter keystore password, enter:

changeit

5. If prompted “... is not trusted. Install reply anyway? [no]”, enter:

yes

The following message indicates that the certificate was successfully imported:

Certificate reply was installed in keystore

6. Proceed to the Updating the Legacy Orchestrator Keystore section to update a keystore.

Import certificates in other formats

If your CA did not provide a certificate in p7b format, you must import three certificates: root, intermediate and server (one by one in the order shown below).

1. Open an SSH terminal session to the Legacy Orchestrator on port 22.

2. Log in as the skylight user.

3. Import the root certificate by entering:

/home/skylight/so/lib/jdk/bin/keytool -import -alias root -trustcacerts -file /tmp/<rootcertfile> -keystore ca_keystore

4. If prompted to enter keystore password, enter:

changeit

5. If prompted “Trust this certificate? [no]”, enter:

yes

6. Import the intermediate certificate by entering:

/home/skylight/so/lib/jdk/bin/keytool -import -alias interm -trustcacerts -file /tmp/<intercertfile> -keystore ca_keystore

7. If prompted to enter keystore password, enter:

changeit

8. If prompted “Trust this certificate? [no]”, enter:

yes

9. Import the server certificate by entering:

/home/skylight/so/lib/jdk/bin/keytool -import -alias skylight -trustcacerts -file /tmp/<servercertfile> -keystore ca_keystore

10. If prompted to enter keystore password, enter:

changeit

11. If prompted “... is not trusted. Install reply anyway? [no]”, enter:

yes

12. Proceed to the Updating the Legacy Orchestrator Keystore section to update a keystore.

Option 2: Convert to a Keystore from PFX Certificate or Separate Certificates

This option requires you to convert to a Keystore (ca_keystore) from a PFX certificate or separate certificates (server.key, server.cert, rootCA.cert).

One Certificate (the pfx format) File

If you have one certificate (the pfx format) file, you must follow these steps below:

1. Open an SSH terminal session to the Legacy Orchestrator on port 22.

2. Log in as the skylight user.

3. Convert the .pfx certificate file to the keystore (ca_keystore) file with the JKS format:
   a. Enter:

/home/skylight/so/lib/jdk/bin/keytool -importkeystore -srckeystore <yourcertificatefile.pfx> -srcstoretype pkcs12 -destkeystore ca_keystore -deststoretype JKS

b. If prompted to “Enter destination keystore password”, enter:

changeit 

c. If prompted to “Re-enter new password”, enter:

changeit

d. If prompted to “Enter source keystore password”, enter:

<password of your_certificate_file.pfx file> 

e. Check the output, the alias is shown. This alias will be used in the next steps.
For example:

Entry for alias te-123-12232-abc23232312 successfully imported. 
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled 
=> alias is “te-123-12232-abc23232312”  

The ca_keystore file is created. It includes information and your certificate which is provided in your_certificate_file.pfx file.

4. Change the password of key within the ca_keystore file to changeit.
   Note: You can skip this step if the password of the key within yourcertificatefile.pfx file is changeit.
   a. Enter:

/home/skylight/so/lib/jdk/bin/keytool -keypasswd -alias <the alias from step 1.e> -keystore ca_keystore

b. If prompted to “Enter keystore password”, enter:

changeit

c. If prompted to “Enter key password for <the alias from step 1.e>”, enter:

<password of this key or password of your_certificate_file.pfx file>

d. If prompted with “New key password for <the alias from step 1.e>”, enter:

changeit

e. If prompted to “Re-enter new key password for <the alias from step 1.e>”, enter:

changeit 

5. Change the alias of the key within the ca_keystore file to skylight.
   Note: You can skip this step if the alias from step 1.e is skylight.
   a. Enter:

/home/skylight/so/lib/jdk/bin/keytool -changealias -alias <the alias from step 1.e> -destalias skylight -keystore ca_keystore -storepass changeit

Separate certificates (server.key, server.cert and rootCA.cert)

If you have separate certificates (server.cert and rootCA.cert) and private key (server.key), you must follow the three steps below:

1. Place all files (server.key, server.cert and rootCA.cert) in the /home/skylight/so folder.

2. Generate a keystone.pfx file using separate certificates (server.cert and rootCA.cert) and a private key (server.key). Enter:

openssl pkcs12 -export -in server.cert -inkey server.key -certfile rootCA.cert -out keystone.pfx -name skylight -passout pass:changeit

3. Convert the .pfx certificate file into a keystore file (ca_keystore) in JKS format. Enter:

/home/skylight/so/lib/jdk/bin/keytool -importkeystore -srckeystore keystone.pfx -srcstoretype pkcs12 -destkeystore ca_keystore -deststoretype JKS -srcstorepass changeit -deststorepass changeit

Updating the Legacy Orchestrator Keystore

At this point, we have a fully signed certificate in your new ca_keystore. We need to transfer this certificate over to the keystore used by the Legacy Orchestrator.

1. Open an SSH session to port 22 of the Legacy Orchestrator and log in using the skylight username and password.

2. Backup the key:

cd /home/skylight/so/config/domain/

3. Backup the keystore.jks file:

cp keystore.jks keystore.jks.bk

4. Run the command to update the keystore:

/home/skylight/so/lib/jdk/bin/keytool -importkeystore -srckeystore /home/skylight/so/ca_keystore -destkeystore ./keystore.jks

If prompted to enter keystore password, enter:

changeit

6. If prompted, "Existing entry alias skylight exists, overwrite? [no]:", enter:

yes

Restarting the Legacy Orchestrator Services

1. Open an SSH terminal session to the Legacy Orchestrator port 2200.
2. Log in as the skylight user.
3. Stop services by entering:

services stop

4. Start services by entering:

services start

5. Verify that the new certificate has been applied.

Starting the Hot Standby Process

Note: Skip this section if Legacy Orchestrator is not configured in Hot Standby mode.

1. Open an SSH terminal session to the Active site on port 2200.
2. Log in as the skylight user.
3. Set the preferred site to the last active site by entering:

redundancy config preferred {site-a | site-b} 

4. Start the Hot Standby process by entering:

redundancy control start

5. Verify that the new certificate has been applied.