Administrator finds that the Zerto SSL certificates are expiring. The 3 certificates are found in /Program Files/Zerto/Zerto Virtual Replication/ and are named as follows:
1) Install OpenSSL on the ZVM to generate the Certificate Signing Request (CSR) via link below
Latest version: https://slproweb.com/download/Win64OpenSSL-1_1_1d.exe
2) Open command prompt As Administrator to the installation directory of OpenSSL (Default - C:\Program Files\OpenSSL-Win64\bin).
3) Run the following command to create the CSR and generate a private encryption key:
openssl req -out server2.csr -new -newkey rsa:2048 -nodes -keyout pk.key
4) Follow the prompts on the screen to create your CSR file. Normally this would be signed by a 3rd party certificate authority such as GoDaddy or Verisign. However in this case, we will be self-signing the certificate to get up and running ASAP.
5) Now that you have the CSR file, you must self-sign this cert to a .CER file. Note that following the command below will create a self-signed cert that is valid for 1000 days. The default (without specifying the -days switch) is 30 days:
openssl x509 -req -in server2.csr -signkey pk.key -days 1000 -out server2.cer
6) Now that we've self-signed our CER file with the private key that was generated in the first command, we have to export this to a PFX file so that it can be used by the ZVM. This can be done via command below:
openssl pkcs12 -export -inkey pk.key -in server2.cer -out server2.pfx
7) Copy the newly created PFX file to the Zerto Installation directory (/Program Files/Zerto/Zerto Virtual Replication/ ) and make 2 copies of this same file (should be a total of 3).
8) Backup/remove the old certificates. Then, rename the newly created PFX files to the names listed below:
9) Follow the steps below depending on which certificate needs to be replaced.
In order to change the default security certificate for your ZVM, follow these steps:
a. Open the Zerto Diagnostics utility on the Windows VM running the ZVM.
b. Choose "Reconfigure Zerto Virtual Manager."
c. Ensure the vCenter configuration is correct, and click "Next."
d. Check "Replace SSL Certificate" under the "HTTP Certificate" section.
e. Choose the browse (...) button, and locate and select the new SSL certificate.
f. Enter the new SSL certificate's associated password and click next.
g. The utility will verify the necessary vCenter connectivity - once passed, choose next, and the ZVM will be reconfigured.
NOTE: This change only impacts the zvmHttpsCert.pfx file as expected.
In order to change the default security certificate for the ZSSP, follow these steps:
a. Stop the ZVM service on the machine where Zerto Virtual Replication (ZVR) is installed.
b. Go to the location where ZVR is installed (the default for 64 bit OS is "C:\Program Files\Zerto\Zerto Virtual Replication"), and make a backup of file "zvmPortalHttpsCert.pfx".
c. Copy your own certificate to this directory and change the name to "zvmPortalHttpsCert.pfx".
d. Start the ZVM service.
In order to change the default security certificate for your ZCM, follow these steps:
a. Stop the ZCM service on the machine where it is installed.
b. Go to the location where the ZCM is installed (the default for 64 bit OS is "C:\Program Files\Zerto\Zerto Cloud Manager") and make a backup of file "zvmHttpsCert.pfx".
c. Copy your own certificate to this directory and change the name to "zvmHttpsCert.pfx"
d. Start the ZCM service.
NOTE: The above steps will only work as is if the password entered during Step 3 and 4 above is "zerto" (this is the default/expected value which Zerto will look for). Should any variation from this password be used, the following steps should be followed:
a. Stop the ZVM/ZCM service (depending on which certificate is being replaced as explained above)
b. Follow KB How To Edit The ZVM Custom Settings File: Tweaks.txt to apply the following tweak for versions prior to 7.5:
t_httpsZvmCertificateFilePassword = "MyCertPasswordHere"
c. If on version 7.5 or higher, kindly open a case with Zerto Support and request assistance to apply the necessary tweak above as this required the "Tweak Tool" starting in 7.5.