Skip to main content
Skip table of contents

Regenerating self-signed end-entity and CA certificates

In many environments, the replacement of HTTPS and/or DSP may be unnecessary.

DSP certificate is only relevant if Custom Authorizations have been configured in Network Security settings, as discussed in the Configuring Network Security Settings page. If these checkboxes are not applied, this means the DSP certificate is not being used.

HTTPS certificate replacement is only necessary if HTTPS connections are used for web browser access.

The following process will leverage Java keytool utility. This is commonly available in most Java JDK installations, including those installed in the Delphix Toolkit for Unix, Linux, and Windows Environments under <toolkit directory> /*host/java/jdk/bin/. In the following example, /work is the toolkit directory. The subdirectory naming conventions from 5.3.x and 6.0.x are illustrated as:

CODE
$ find /work -name keytool
/work/Delphix_COMMON_f126df603015_33e2f61712c3_2_host/java/jdk/jre/bin/keytool
/work/Delphix_COMMON_f126df603015_33e2f61712c3_2_host/java/jdk/bin/keytool
/work/Delphix_COMMON_564d56b0_26ad_e6ac_f782_d15213207664_oracle_host/java/jdk/bin/keytool
/work/Delphix_COMMON_564d56b0_26ad_e6ac_f782_d15213207664_oracle_host/java/jdk/jre/bin/keytool

By the end of this process, a PKCS#12 KeyStore file is generated containing the CA certificate, DSP, stunnel server, HTTPS certificate. This file will be used for upload twice in the System Setup interface.

Other notes:

  • The recommended KeyStore password, changeit, is used.

  • For <domain>, replace this string with the Engine FQDN in every command. This is used as the CN (Common Name). For instance, -dname 'CN=Engine <domain>  ca,="" c="">>"= would be replaced with -dname 'CN=Engine  example.delphix.com  CA, C=US'.

  • The certificate aliases to be used are tomcat for HTTPS and dsp for DSP.

  • The existing Delphix CA certificate in the truststore cannot be removed. Faults related to this certificate should be ignored.

Linux Version

  1. Generate a new Delphix CA Certificate.

    CODE
    export PASSWORD_ENV='changeit'
    keytool -genkeypair -noprompt  -alias delphixca  -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext bc=ca:true -ext ku=kCS,cRLS -sigalg SHA256withRSA -storepass:env PASSWORD_ENV  -storetype pkcs12 -startdate -10000M  -dname 'CN=Engine <domain> CA, C=US' -keypass:env PASSWORD_ENV -storetype pkcs12 -keystore keystore
  2. Generate the HTTPS/TLS certificate

    CODE
    keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false  -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
  3. Generate the DSP certificate

    CODE
    keytool -genkeypair -alias dsp -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false  -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
  4. Generate the STUNNEL-SERVER certificate

    CODE
    keytool -genkeypair -alias stunnel-server -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false  -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
  5. Sign the HTTP/TLS certificate

    CODE
    keytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.csr
    keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile tomcat.csr -outfile tomcat.p12
    keytool -importcert -alias tomcat -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.p12
  6. Sign the DSP Certificate

    CODE
    keytool -certreq -alias dsp -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file dsp.csr
    keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile dsp.csr -outfile dsp.p12
    keytool -importcert -alias dsp -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file dsp.p12

Windows version

  1. Generate a new Delphix CA Certificate.

    CODE
    $ENV:PASSWORD_ENV='changeit'
    .\keytool -genkeypair -noprompt  -alias delphixca -keyalg RSA -keysize 2048 -validity 397  -ext 1.3.6.1.5.5.7.3.1 -ext bc=ca:true -ext ku=kCS,cRLS -sigalg SHA256withRSA -storepass:env PASSWORD_ENV  -storetype pkcs12 -startdate -10000M  -dname 'CN=Engine <domain> CA, C=US' -keypass:env PASSWORD_ENV -storetype pkcs12 -keystore keystore
  2. Generate the HTTPS/TLS certificate

    CODE
    .\keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false  -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
  3. Generate the DSP certificate

    CODE
    .\keytool -genkeypair -alias dsp -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false  -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
  4. Sign the HTTP/TLS certificate

    CODE
    .\keytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.csr
    .\keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile tomcat.csr -outfile tomcat.p12
    .\keytool -importcert -alias tomcat -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file tomcat.p12
  5. Sign the DSP Certificate

    CODE
    .\keytool -certreq -alias dsp -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore -file dsp.csr
    .\keytool -gencert -alias delphixca -ext 'san=dns:<domain>' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M -infile dsp.csr -outfile dsp.p12
    .\keytool -importcert -alias dsp -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -file dsp.p12

At this point, the certificates can be installed by following the Customer Provided Key Pair method described in the User provided key pair configuration page.

The same KeyStore generated will be uploaded twice, once using alias 'dsp' and once using alias 'tomcat', to replace DSP and HTTPS certificates, respectively.

If this error occurs, Failed to read file with error "Invalid KeyStore format”, ensure the Upload certificate from a PKCS#12 KeyStore radio button is selected.

Windows keytool distinctions

  • Given the Delphix Connector installation directory C:\Program Files\Delphix\DelphixConnector, the keytool.exe executable can be found at C:\Program Files\Delphix\DelphixConnector\jre\bin\keytool.exe.

  • PowerShell set environment variable with: $ENV:PASSWORD_ENV='changeit'

  • Similar to the comment above with path assumption, on Windows, change ./keytool to .\keytool.exe if located in the jre\bin subdirectory.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.