Symptoms:

An administrator may want to use a signed .CER (X509) SSL certificate to replace the self-signed certificate for the Zerto Virtual Manager (ZVM), Zerto Self-Service Portal (ZSSP), or the Zerto Cloud Manager (ZCM).  To do so, this certificate must first be converted to a .PFX (PKCS 12) SSL certificate.  This article outlines the steps necessary to do so, and how to replace the self-signed certificate.


Solution:

For instructions on generating a CSR, follow instructions in the How to Generate a Certificate Signing Request and Key for Use with ZVR article.  Once sent to a certificate authority, a .CER SSL certificate is returned.

To convert a .CER (X509) SSL certificate to a .PFX (PKCS 12) SSL certificate, follow these steps:

  1. Download the OpenSSL binaries: https://www.openssl.org/source/
  2. After installing OpenSSL, open a command prompt and change the directory to the installation directory of OpenSSLbin.
  3. Run the following command to convert the CER certificate to a PFX certificate (note that the .CER and .KEY file should be copied to the OpenSSL bin directory):
    1. cd c:openssl-win32bin
    2. openssl pkcs12 -export -inkey privateKey.key -in server.cer -out server.pf

The result will be a server.pfx file, which needs to be copied to the Zerto Virtual Replication installation directory.

 

In order to change the default security certificate for your ZVM, follow these steps:

 

  1. Open the Zerto Diagnostics utility on the Windows VM running the ZVM.
  2. Choose "Reconfigure Zerto Virtual Manager."
  3. Ensure the vCenter configuration is correct, and click "Next."
  4. Check "Replace SSL Certificate" under the "HTTP Certificate" section.
  5. Choose the browse (…) button, and locate and select the new SSL certificate.
  6. Enter the new SSL certificate's associated password and click next.
  7. The utility will verify the necessary vCenter connectivity – once passed, choose next, and the ZVM will be reconfigured.

In order to change the default security certificate for the ZSSP, follow these steps:

  1. Stop the ZVM service on the machine where Zerto Virtual Replication (ZVR)  is installed.
  2. Go to the location where ZVR is installed (the default for 64 bit OS is "C:Program FilesZertoZerto Virtual Replication"), and make a backup of file "zvmPortalHttpsCert.pfx".
  3. Copy your own certificate to this directory and change the name to "zvmPortalHttpsCert.pfx".
  4. Define the certificate password in the "tweaks.txt" file in the ZVR folder by opening the "tweaks.txt" file, adding the following, and then save the file:t_httpsPortalZvmCertificateFilePassword = "MyCertPassword"
  5. Start the ZVM service.

In order to change the default security certificate for your ZCM, follow these steps:

  1. Stop the ZCM service on the machine where it is installed.
  2. Go to the location where the ZCM is installed (the default for 64 bit OS is "C:Program FilesZertoZerto Cloud Manager") and make a backup of file "zvmHttpsCert.pfx".
  3. Copy your own certificate to this directory and change the name to "zvmHttpsCert.pfx"
  4. In the same location (the default for 64 bit OS is "C:Program FilesZertoZerto Cloud Manager") and make a backup of file "zvm.pfx"
  5. Copy your own certificate to this directory and change the name to "zvm.pfx"
  6. Define the certificate password in the "tweaks.txt" file in the ZVR folder by opening the "tweaks.txt" file, adding the following, and then save the file:t_httpsZvmCertificateFilePassword = "MyCertPassword"
  7. Start the ZCM service.