This article is for Avamar 19.2.x.
Task details:
The following procedure creates, import the private key and its certificate, distribute the key and certificate into each component (avinstaller, aam/flr/dtlt, mcsdk, rmi and AUI), and then import all levels of trusted certificates into your certificate chain, resulting in the replacement of the listed component's certificates.
Steps to install certificate using AUI:
- Log in to Avamar PuTTY as admin user.
- Create a certs directory under /home/admin and switch to /home/admin/certs directory with commands:
- Generate PKCS1 formatted RSA private key:
openssl genrsa -out private_key.pem 3072
- Switch to root user and cd to the certs directory:
su -
cd /home/admin/certs
- Generate the certificate signing request (csr), using the generated private key. This command specifies a subject alternative name extension which is automatically filled with the fully qualified domain name of the Avamar server and the shortname.
openssl req -newkey rsa:3072 -sha256 -key private_key.pem -days 3650 -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS: $(hostname -f),DNS: $(hostname)")) -out signing_request.csr
Example of filling in Distinguished Name information:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:Irvine
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dell Technologies
Organizational Unit Name (eg, section) []:Avamar Support
Common Name (e.g. server FQDN or YOUR name) []:avamarlab.dell.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- Change ownership of the signing request to admin:
chown admin:admin /home/admin/certs/signing_request.csr
- Send signing_request.csr to CA and get it signed. Ensure that all certs received from CA are in PEM format. Assuming you have received signed certificate as avamar_server.crt, get root and intermediate certs from CA as well.
- Copy the private_key.pem from /home/admin/certs to desktop. Place signed cert (avamar_server.crt), combine root cert and intermediate cert in a ca.crt file, and place on desktop.
- Open AUI page in browser with Fully Qualified Domain Name (FQDN):
https://fqdn_of_avamar/aui
- In the AUI, go to Administration > System > Certificate tab > Private Key tab. A private certificate entry for the Web Server appears in the table.
- Click the radial button next to the Web Server entry > Click +REPLACE tab. The Replace Private Entry wizard displays.
- In the Private Key field, click Browse to locate and select your certificate's private key. In our case, it is private_key.pem placed on desktop.
- In the Certificate field, click Browse to locate and select your certificate file. It should be avamar_server.crt.
- (Optional) If the private key is protected, provide the passphrase, otherwise leave it blank and click Next.
- Certificate validation is initiated. If the validation fails (for example, if you selected private_key.pem for the private key and ca.crt for the certificate), a message displays indicating the private key and certificate do not match.
- When validation completes successfully, click FINISH.
- Under the Certificate tab, select the Trust Certificate tab > click +IMPORT. The Import Certificate wizard displays.
- In Alias field, provide any alias names, example: trustedCA. In the File field, click BROWSE to locate and import the appropriate trusted certificate. In our case, it is ca.crt on desktop. Click NEXT.
- Click FINISH. After the import completes, review the trusted certificate details under the Trust Certificate tab.
- Click RESTART SERVICES to apply certificate, and then click YES to verify you want to restart these services.
(Note: It restarts Apache Tomcat and MCS).