Overview

Adding custom CA certificates to the Gateway is crucial for ensuring secure communication between the gateway and other components within your environment. Custom CA certificates allow you to establish trust between the gateway and the servers it interacts with. By adding these certificates, you enhance the overall security posture of your system, protect sensitive data, and prevent potential security vulnerabilities. This practice is essential to maintain the integrity of your communication channels and safeguard your network infrastructure.

Upload the CA Certificates to Gateway

To upload the certificate, you need to generate the certificate locally first. After that, you can proceed to upload the locally issued certificate to both the gateway and vprobe service.

Step 1: Get the Non-OpsRamp/local issuer certificate

Follow the below steps to get the certificate:

  1. For “Direct” use the following command:

    openssl s_client -connect {opsramp-api-server}:{opsramp-api-server-port} -showcerts

  2. For “Proxy” use the following command:

    openssl s_client -connect "{opsramp-api-server:opsramp-api-server-port}" -proxy {proxy-server-ip}:{proxy-server-port} -showcerts

  1. You will receive the certificate output as shown below. Copy this output into a file, such as /home/ruser/cert1.crt.
    -----BEGIN CERTIFICATE-----
    MIIHnTCCBYWgAwIBAgIQApMqHIN6MX/8V6+KRuvlIjANBgkqhkiG9w0BAQsFADBc
    MQswCQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xNDAyBgNVBAMT
    K1JhcGlkU1NMIEdsb2JhbCBUTFMgUlNBNDA5NiBTSEEyNTYgMjAyMiBDQTEwHhcN
    MjIwOTI2MDAwMDAwWhcNMjMxMDI1MjM1OTU5WjAcMRowGAYDVQQDDBEqLmFwaS5v
    cHNyYW1wLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOYUqmn3
    GBFifgvw3d9kCplfUdFtcn8BJDPm2d6cfDqQqNXvJ6sOxoH4pHLaK2Z+AWl+7iqt
    hs+OEumFX/0kOsfFVf/E6LVPDEX0z4mjXaNM3I7/qDMG
    -----END CERTIFICATE-----

Step 2: Upload the issued certificate to Gateway and Vprobe Service

Once the certificates copying is completed then follow steps to upload it to the gateway and vprobe service.

Upload the certificate to Vprobe Service

  1. Run the following command for each certificate using a suitable random string as the {AliasName}.
  • Example for one certificate file:

    sudo keytool -import -noprompt -trustcacerts -alias "{AliasName}-1" -file /home/ruser/cert1.crt -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit

  • Example for two certificate files:

    sudo keytool -import -noprompt -trustcacerts -alias "{AliasName}-1" -file /home/ruser/cert1.crt -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit
    sudo keytool -import -noprompt -trustcacerts -alias "{AliasName}-2" -file /home/ruser/cert2.crt -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts -storepass changeit

  1. Run the following command to verify if the certificate has been successfully uploaded to the vprobe service.
    keytool -list -v -keystore /usr/lib/jvm/java-11-openjdk-amd64/lib/security/cacerts | grep -i '{AliasName}'

Upload the certificate to Gateway

Run the following commands that you can use as examples to upload the certificate:

sudo cp /home/ruser/cert1.crt /usr/local/share/ca-certificates

sudo update-ca-certificates