Regenerating self-signed end-entity and CA certificates
In many environments, the replacement of HTTPS and/or DSP may be unnecessary.
DSP certificate is only relevant if Custom Authorizations have been configured in Network Security settings, as discussed in the Configuring Network Security Settings article. If these checkboxes are not applied, this means the DSP certificate is not being used.
HTTPS certificate replacement is only necessary if HTTPS connections are used for web browser access.
The following process will leverage Java keytool utility. This is commonly available in most Java JDK installations, including those installed in the Delphix Toolkit for Unix, Linux, and Windows Environments under <toolkit directory>
/*host/java/jdk/bin/
. In the following example, /work
is the toolkit directory. The subdirectory naming conventions from 5.3.x and 6.0.x are illustrated as:
$ find /work -name keytool
/work/Delphix_COMMON_f126df603015_33e2f61712c3_2_host/java/jdk/jre/bin/keytool
/work/Delphix_COMMON_f126df603015_33e2f61712c3_2_host/java/jdk/bin/keytool
/work/Delphix_COMMON_564d56b0_26ad_e6ac_f782_d15213207664_oracle_host/java/jdk/bin/keytool
/work/Delphix_COMMON_564d56b0_26ad_e6ac_f782_d15213207664_oracle_host/java/jdk/jre/bin/keytool
By the end of this process, a PKCS#12 keystore file is generated containing the CA certificate, DSP, and HTTPS certificate. This file will be used for upload twice in the System Setup interface.
Other notes:
The recommended keystore password 'changeit' is used.
For
<domain>
, replace this string with the Engine FQDN in every command. This is used as the CN (Common Name). For instance, "-dname 'CN=Engine <domain> ca,="" c="">>" would be replaced with-dname 'CN=Engine example.delphix.com CA, C=US'
.The certificate aliases to be used are 'tomcat' for HTTPS and 'dsp' for DSP.
The existing Delphix CA certificate in the truststore cannot be removed. Faults related to this certificate should be ignored.
Generate a new Delphix CA Certificate.
CODEPASSWORD_ENV='changeit' keytool -genkeypair -noprompt -alias delphixca -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext bc=ca:true -ext ku=kCS,cRLS -sigalg SHA256withRSA -storepass:env PASSWORD_ENV -storetype pkcs12 -startdate -10000M -dname 'CN=Engine <domain> CA, C=US' -keypass:env PASSWORD_ENV -storetype pkcs12 -keystore keystore
Generate the HTTPS/TLS certificate
CODEPASSWORD_ENV='changeit' keytool -genkeypair -alias tomcat -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystoreGenerate the DSP certificate
Generate the DSP Certificate
CODEPASSWORD_ENV='changeit' keytool -genkeypair -alias dsp -keyalg RSA -keysize 2048 -validity 397 -ext 1.3.6.1.5.5.7.3.1 -ext san=dns:<domain> -ext bc=ca:false -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -startdate -10080M -dname 'CN=<domain>, C=US' -keypass:env PASSWORD_ENV -keystore keystore
Sign the HTTPS/TLS certificate
CODEPASSWORD_ENV='changeit' keytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore | PASSWORD_ENV='changeit' keytool -gencert -alias delphixca -ext 'san=dns:' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M | PASSWORD_ENV='changeit' keytool -importcert -alias tomcat -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore
Sign the DSP Certificate
PASSWORD_ENV='changeit' keytool -certreq -alias dsp -keyalg RSA -sigalg SHA256withRSA -storetype pkcs12 -keypass:env PASSWORD_ENV -storepass:env PASSWORD_ENV -keystore keystore | PASSWORD_ENV='changeit' keytool -gencert -alias delphixca -ext 'san=dns:' -validity 397 -sigalg SHA256withRSA -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore -startdate -10080M | PASSWORD_ENV='changeit' keytool -importcert -alias dsp -storetype pkcs12 -storepass:env PASSWORD_ENV -keystore keystore
At this point, the certificates can be installed by following the Customer Provided Key Pair method described in the Customer Provided Key Pair Configuration article.
The same keystore generated will be uploaded twice, once using alias 'dsp' and once using alias 'tomcat', to replace DSP and HTTPS certificates, respectively.
If this error occurs, Failed to read file with error "Invalid keystore format”, ensure the Upload certificate from a PKCS#12 keystore radio button is selected.
Windows keytool distinctions
Given the Delphix Connector installation directory C:\Program Files\Delphix\DelphixConnector, the keytool.exe executable can be found at C:\ProgramFiles\Delphix\DelphixConnector\jre\bin\keytool.exe.
Powershell set environment variable with:
$ENV:PASSWORD_ENV='changeit'
Similar to the comment above with path assumption, on Windows, change ./keytool to .\keytool.exe if located in the jre\bin subdirectory.