Article number
000003164

How To Renew/Replace Zerto’s SSL Certificates That Are Nearing Or Past Expiration if Using a Custom Password

Root Cause

In versions prior to 7.5u3, certificates are near or past expiration, and the user requires a custom password for the certificates.

Symptoms

Administrator finds that the Zerto SSL certificates are expiring. The 3 certificates are found in /Program Files/Zerto/Zerto Virtual Replication/ and are named as follows:
 
zvm.pfxThis is in an internal certificate and not directly used by the ZVR GUI. The password for this certificate must be 'zerto'. Note: This certificate is not expected to need renewal.
zvmHttpsCert.pfxThis is an external certificate used by the ZVR GUI. The default password is 'zerto' but can be changed if the user requires on the ZVM. On a ZCM, the password for this certificate must be 'zerto'.
zvmPortalHttpsCert.pfxThis is an external certificate used by the Zerto Self Service Portal (ZSSP). The default password is 'zerto' but can be changed if the user requires.
** Note **: If renewing zvmHttpsCert.pfx or zvmPortalHttpsCert.pfx on the ZVM and the password for zvmHttpsCert.pfx or zvmPortalHttpsCert.pfx will be using the default password of 'zerto', then KB "How To Renew/Replace Zerto's SSL Certificates That Are Nearing Or Past Expiration" should be followed.

Solution

Fix:
Starting in Zerto 7.5u3, the certificates will now have an expiration date in the year 2200.

Workaround:
The PowerShell cmdlet 'New-SelfSignedCertificate' can be used to create a self signed certificate.

** Note **: Only renew the certificate that is expiring. Not all certificates will need renewal at the same time.

1) Rename the original certificate file(s) that need to be renewed to create a backup (e.g. zvm.pfx.bak-{yyyy-mm-dd}).

zvmHttpsCert.pfx.bak-2020-03-16
zvmPortalHttpsCert.pfx.bak-2020-03-16


2) Open PowerShell. To create a self signed certificate that is valid for 3 years, issue the following commands, replacing myzvr.domain.com with the valid hostname:

$todaydt = Get-Date
$3years = $todaydt.AddYears(3)
New-SelfSignedCertificate -dnsname myzvr.domain.com -notafter $3years -CertStoreLocation cert:LocalMachineMy


Note: The option -notafteris not valid on versions of Windows Server prior to 2016. If the ZVM is running on a version of Windows Server prior to 2016, do not use this option. Instead, a certificate will be created that is valid for one year. Example:

New-SelfSignedCertificate -dnsname myzvr.domain.com -CertStoreLocation cert:LocalMachineMy

An output similar to below will be shown. Note the thumbprint:

Directory: Microsoft.PowerShell.SecurityCertificate::LocalMachineMy
Thumbprint                               Subject
----------                               -------
54005B7DB7DC642F8EF981BACD9A8CBEB1D2E15F CN=
myzvr.domain.com

3) To then export the generated certificate to a password protected PFX file, the thumbprint noted above will be needed (replace the example below with what is obtained in step 2). Issue the following commands in PowerShell, which set the custom password of 'MyCertPassword':

$CertPassword = ConvertTo-SecureString -String "MyCertPassword" -Force -AsPlainText

Then if exporting a new zvmHttpsCert.pfx file:

Export-PfxCertificate -Cert cert:LocalMachineMy2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath "C:Program FilesZertoZerto Virtual ReplicationzvmHttpsCert.pfx" -Password $CertPassword

If exporting a new zvmPortalHttpsCert.pfx file:

Export-PfxCertificate -Cert cert:LocalMachineMy2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath "C:Program FilesZertoZerto Virtual ReplicationzvmPortalHttpsCert.pfx" -Password $CertPassword

4) Follow the steps below depending on which certificate needs to be replaced.

In order to update the security certificate for the ZVM (zvmHttpsCert.pfx), follow these steps on the ZVM:

a. Open the Zerto Diagnostics utility on the Windows VM running the ZVM.
b. Choose "Reconfigure Zerto Virtual Manager."
c. Ensure the vCenter configuration is correct, and click "Next."
d. Check "Replace SSL Certificate" under the "HTTP Certificate" section.
e. Choose the browse (...) button, and locate and select zvmHttpsCert.pfx as the certificate.
f. Enter the new SSL certificate's associated password 'MyCertPassword' and click next.
g. The utility will verify the necessary vCenter connectivity - once passed, choose next, and the ZVM will be reconfigured.
h. Follow KB How To Edit The ZVM Custom Settings File: Tweaks.txt to apply the following tweak for versions prior to 7.5:

t_httpsZvmCertificateFilePassword = "MyCertPassword"

Note: If on version 7.5 or higher, open a case with Zerto Support and request assistance to apply the necessary tweaks above as this requires the "Tweaks Tool" starting in version 7.5.
i. Start the ZVM service.

In order to update the security certificate for the ZSSP (zvmPortalHttpsCert.pfx), follow these steps on the ZVM:

a. Stop the ZVM service on the machine where Zerto Virtual Replication (ZVR) is installed.
b. Go to the location where ZVR is installed (the default for 64 bit OS is "C:Program FilesZertoZerto Virtual Replication"), and ensure the new certificate file zvmPortalHttpsCert.pfx exists from step 3 above.
c. Follow KB How To Edit The ZVM Custom Settings File: Tweaks.txt to apply the following tweak for versions prior to 7.5:

t_httpsPortalZvmCertificateFilePassword = "MyCertPassword"

Note: If on version 7.5 or higher, open a case with Zerto Support and request assistance to apply the necessary tweaks above as this required the "Tweaks Tool" starting in 7.5.
d. Start the ZVM service.