10.4.1 Replacing an Existing Certificate with a new Self-Signed or CA-Signed Certificate
A self-signed certificate is created and installed during NNMi installation. You would typically replace a certificate in any of the following scenarios:
-
To use a new self-signed or CA-signed certificate instead of the default certificate.
-
To renew an expired certificate.
To replace a certificate, do the following:
-
Generate a self-signed certificate. For details, see 10.4.2 Generating a Self-Signed Certificate.
-
If you organization requires the certificate to be signed by a CA, generate a CSR (Certificate Signing Request) file and obtain a CA signed certificate. For details, see 10.4.3 Generating a CA-Signed Certificate.
-
Open the following file and update the com.hp.ov.nms.ssl.KEY_ALIAS variable to the value you used for <alias> while generating a certificate.
-
Windows: %NNM_CONF%\nnm\props\nms-local.properties
-
Linux: $NNM_CONF/nnm/props/nms-local.properties
-
-
Restart the NNMi Management Server.
ovstop ovstart
- Note
-
When making file changes under High Availability (HA), you need to make the changes on both nodes in the cluster. For NNMi using HA configurations, if the change requires you to stop and restart the NNMi management server, you must put the nodes in maintenance mode before running the ovstop and ovstart commands.
-
Test HTTPS access to the NNMi console using the following syntax:
https://<fully_qualified_domain_name>:<port_number>/nnm/.
If you have used CA-signed certificate and if the browser trusts the CA, it will trust the HTTPS connection to the NNMi console.
If you have used self-signed certificate, browser displays a warning message about the untrusted HTTPS connection to the NNMi Console.