Symptoms


An administrator may want to use a signed .CER (X509) SSL certificate to replace the self-signed certificate for the Zerto Virtual manager (ZVM), Zerto Self-Service Portal (ZSSP), or the Zerto Cloud Manager (ZCM).  To do so, this certificate must first be converted to a .PFX (PKCS 12) SSL certificate.  This article outlines the steps necessary to do so, and how to replace the self-signed certificate.

 

Solution


For instructions on generating a CSR, follow instructions in the How to Generate a Certificate Signing Request and Key for Use with ZVR article.  Once sent to a certificate authority, a .CER SSL certificate is returned.

 

To convert a .CER (X509) SSL certificate to a .PFX (PKCS 12) SSL certificate, follow these steps:


  1. Download the OpenSSL binaries: https://www.openssl.org/source/

  2. After installing OpenSSL, open a command prompt and change the directory to the installation directory of OpenSSLbin.

  3. Run the following command to convert the CER certificate to a PFX certificate (note that the .CER and .KEY file should be copied to the OpenSSL bin directory):

    1. cd c:openssl-win32bin

    2. openssl pkcs12 –export –in server.cer –inkey privateKey.key –out server.pfx


The result will be a server.pfx file, which needs to be copied to the Zerto Virtual Replication installation directory.

 

In ZVR 3.1 and greater, in order to change the default security certificate for your ZVM, follow these steps:

  1. Open the Zerto Diagnostics utility on the Windows VM running the ZVM.
  2. Choose "Reconfigure Zerto Virtual Manager".
  3. Ensure the vCenter configuration is correct, and click next.
  4. Check "Replace SSL Certificate" under the "HTTP Certificate" section.
  5. Choose the browse (...) button, and locate and select the new SSL certificate.
  6. Enter the new SSL certificate's associated password and click next.
  7. The utility will verify the necessary vCenter connectivity - once passed, choose next, and the ZVM will be reconfigured.

 

In ZVR 3.0 and prior, in order to change the default security certificate for your ZVM, follow these steps:

  1. Download the Zerto "ExtensionRegistration" utility to the ZVM via the following link: ExtensionRegistration

  2. Stop the ZVM service on the machine where Zerto Virtual Replication (ZVR)  is installed.

  3. Go to the location where ZVR is installed (the default is "C:Program Files (x86)ZertoZerto Virtual Replication"), and make a backup of file "zvmHttpsCert.pfx".

  4. Copy your own certificate to this directory and change the name to "zvmHttpsCert.pfx".

  5. Define the certificate password in the "tweaks.txt" file in the ZVR folder by opening the "tweaks.txt" file, adding the following: t_httpsZvmCertificateFilePassword = "MyCertPassword", and then save the file

  6. Run ExtensionRegistration “Unregister” command via CMD from within “C:Program Files (x86)ZertoZerto Virtual Replication”. Run this command as per the following:

    1. ExtensionRegistration <Register|Unregister> [<VCenter IP> <VCenter username> <VCenter password> <Plugin IP> <Plugin port>]

    2. For example: ExtensionRegistration Register 172.30.0.70 root password 172.30.0.77 9669

  7. Run ExtensionRegistration “Register” command via CMD from within “C:Program Files (x86)ZertoZerto Virtual Replication” as per the format above.

  8. Start the ZVM service.

  9. Close and re-open the vSphere Client or ZVR web GUI.

 

In order to change the default security certificate for the ZSSP, follow these steps:

  1. Stop the ZVM service on the machine where Zerto Virtual Replication (ZVR)  is installed.

  2. Go to the location where ZVR is installed (the default is "C:Program Files (x86)ZertoZerto Virtual Replication"), and make a backup of file "zvmPortalHttpsCert.pfx".

  3. Copy your own certificate to this directory and change the name to "zvmPortalHttpsCert.pfx".

  4. Define the certificate password in the "tweaks.txt" file in the ZVR folder by opening the "tweaks.txt" file, adding the following, and then save the file: t_httpsPortalZvmCertificateFilePassword = "MyCertPassword"

  5. Start the ZVM service.

 

In order to change the default security certificate for your ZCM, follow these steps:

  1. Stop the ZCM service on the machine where it is installed.

  2. Go to the location where the ZCM is installed (the default is "C:Program Files (x86)ZertoZerto Cloud Manager"), and make a backup of file "zvmHttpsCert.pfx".

  3. Copy your own certificate to this directory and change the name to "zvmHttpsCert.pfx".

  4. Define the certificate password in the "tweaks.txt" file in the ZVR folder by opening the "tweaks.txt" file, adding the following, and then save the file: t_httpsZvmCertificateFilePassword = "MyCertPassword"

  5. Start the ZCM service.