Friday, 16 September 2016

Expired Certificate On VDP Port 29000

So recently I was working on a case where the certificate had expired on Port 29000 for VDP 6.1.2. The port 29000 is used for replication data, this can be seen on page 148 of this admin guide here. Now, on the same admin guide, on page 46 it talks about replacing the certificate for the appliance, however, this is applicable on the Web management page for Port 8543 which is for your vdp-configure page. 

If you still go to " https://vdp-IP:29000 " you will still see the certificate as expired as below:


How do we get this certificate replaced? Well, here are the steps:
Here we are using self signed certificates and the replacing is also done with a new self signed certificate: 

1. Login to the VDP appliance as admin
2. Type the below command:
# cd ~
3. Use the below command to generate a new self signed certificate:
# openssl req -x509 -newkey rsa:3072 -keyform PEM -keyout avamar-1key.pem -nodes -outform PEM -out avamar-1cert.pem -subj "/C=US/ST=California/L=Irvine/O=Dell EMC, Inc./OU=Avamar/CN=vdp-hostname.customersite.com" -days 3654
Replace vdp-hostname.customersite.com with your VDP appliance hostname
The " days " parameter can be altered to set the certificate validity as per your requirement. 

The above command generates a SHA1 certificate. If you would like to generate a SHA256 certificate, then the command would be:
# openssl req -x509 -sha256 -newkey rsa:3072 -keyform PEM -keyout avamar-1key.pem -nodes -outform PEM -out avamar-1cert.pem -subj "/C=US/ST=California/L=Irvine/O=Dell EMC, Inc./OU=Avamar/CN=vdp-hostname.customersite.com" -days 3654
4. The key and certificate will be written to the /home/admin directory and called "avamar-1key.pem" and "avamar-1cert.pem", respectively.

5. Follow Page 38 of this Avamar security Guide to perform the replace operation of certificates. 

6. Post restarting the gsan service as per the security guide, you can now go to " https://vdp-IP:29000 " and verify that the certificate is now renewed. 

That's pretty much it. Should be helpful if you receive warnings during security scans against VDP.