Article number
000003164
Affected Versions
All
Source Hypervisor
All
Target Hypervisor
All

How To Renew/Replace Zerto’s SSL Certificates That Are Nearing Or Past Expiration if Using a Custom Password

Viewed 1693 times

Summary

In versions prior to 7.5u3, certificates are near or past expiration, and the user requires a custom password for the certificates.

 Administrator finds that the Zerto SSL certificates are expiring. The 3 certificates are found in /Program Files/Zerto/Zerto Virtual Replication/ and are named as follows:

 
zvm.pfxThis is in an internal certificate and not directly used by the ZVR GUI. The default password is 'zerto' but can be changed if the user requires on the ZVM. Note: This certificate is not expected to need renewal.
zvmHttpsCert.pfxThis is an external certificate used by the ZVR GUI. The default password is 'zerto' but can be changed if the user requires on the ZVM. On a ZCM, the password for this certificate must be 'zerto'.
zvmPortalHttpsCert.pfxThis is an external certificate used by the Zerto Self Service Portal (ZSSP). The default password is 'zerto' but can be changed if the user requires.

** Note **: If renewing zvmHttpsCert.pfx or zvmPortalHttpsCert.pfx on the ZVM and the password for zvmHttpsCert.pfx and zvmPortalHttpsCert.pfx will be using the default password of 'zerto', then KB "How To Renew/Replace Zerto's SSL Certificates That Are Nearing Or Past Expiration" should be followed.

Steps

Fix:
Starting in Zerto 7.5u3, the default Zerto certificates will now have an expiration date in the year 2200.

Workaround:
The PowerShell cmdlet 'New-SelfSignedCertificate' can be used to create a self signed certificate.

** Note **: Only renew the certificate that is expiring. Not all certificates will need renewal at the same time.

1) Rename the original certificate file(s) that need to be renewed to create a backup (e.g. zvm.pfx.bak-{yyyy-mm-dd}).

zvmHttpsCert.pfx.bak-2020-03-16
zvmPortalHttpsCert.pfx.bak-2020-03-16


2) Open PowerShell. To create a self signed certificate that is valid for 3 years, issue the following commands, replacing myzvr.domain.com with the valid hostname:

$todaydt = Get-Date
$3years = $todaydt.AddYears(3)
New-SelfSignedCertificate -dnsname myzvr.domain.com -notafter $3years -CertStoreLocation cert:\\LocalMachine\\My


Note: The option -notafter is not valid on versions of Windows Server prior to 2016. If the ZVM is running on a version of Windows Server prior to 2016, do not use this option. Instead, a certificate will be created that is valid for one year. Example:

New-SelfSignedCertificate -dnsname myzvr.domain.com -CertStoreLocation cert:\\LocalMachine\\My

An output similar to below will be shown. Note the thumbprint:

Directory: Microsoft.PowerShell.Security\\Certificate::LocalMachine\\My
Thumbprint                               Subject
----------                               -------
54005B7DB7DC642F8EF981BACD9A8CBEB1D2E15F CN=myzvr.domain.com

3) To then export the generated certificate to a password protected PFX file, the thumbprint noted above will be needed (replace the example below with what is obtained in step 2). Issue the following commands in PowerShell, which set the custom password of 'MyCertPassword': 

$CertPassword = ConvertTo-SecureString -String "MyCertPassword" -Force -AsPlainText

Create a folder to store the newly exported certificates such as c:\\customcertificates

Then if exporting a new zvmHttpsCert.pfx file:

Export-PfxCertificate -Cert cert:\\LocalMachine\\My\\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath "C:\\customcertificates\\zvmHttpsCert.pfx" -Password $CertPassword

If exporting a new zvmPortalHttpsCert.pfx file:

Export-PfxCertificate -Cert cert:\\LocalMachine\\My\\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath "C:\\customcertificates\\zvmPortalHttpsCert.pfx" -Password $CertPassword


If exporting a new zvm.pfx file:

Export-PfxCertificate -Cert cert:\\LocalMachine\\My\\2779C7928D055B21AAA0Cfe2F6BE1A5C2CA83B30 -FilePath "C:\\customcertificates\\zvm.pfx" -Password $CertPassword

4) Follow the steps below depending on which certificate needs to be replaced.

In order to update the security certificate for the ZVM (zvmHttpsCert.pfx), follow these steps on the ZVM:

a. Open the Zerto Diagnostics utility on the Windows VM running the ZVM.

b. Choose "Reconfigure Zerto Virtual Manager."

c. Ensure the vCenter configuration is correct, and click "Next."

d. Check "Replace SSL Certificate" under the "HTTP Certificate" section.

e. Choose the browse (...) button, and locate and select the newly generated zvmHttpsCert.pfx, from step 3 above, as the certificate.

f. Enter the new SSL certificate's associated password 'MyCertPassword' and click next.

g. The utility will verify the necessary vCenter connectivity - once passed, choose next, and the ZVM will be reconfigured.

In order to update the security certificate for the ZSSP (zvmPortalHttpsCert.pfx), follow these steps on the ZVM:

a. Follow KB How To Edit The ZVM Custom Settings File: Tweaks.txt to apply the following tweak for versions prior to 7.5:

t_httpsPortalZvmCertificateFilePassword = "MyCertPassword"

Note: If on version 7.5 or higher, open a case with Zerto Support and request assistance to apply the necessary tweaks above as this required the "Tweaks Tool" starting in 7.5.

b. Stop the ZVM service on the machine where Zerto Virtual Replication (ZVR) is installed.

c. Go to the location where ZVR is installed (the default for 64 bit OS is "C:\\Program Files\\Zerto\\Zerto Virtual Replication"), back up the file zvmPortalHttpsCert.pfx, and replace it with the one generated in step 3 above.

d. Start the ZVM service.

In order to update the security certificate for the ZVM (zvm.pfx), follow these steps on the ZVM:

a. Follow KB How To Edit The ZVM Custom Settings File: Tweaks.txt to apply the following tweaks for versions prior to 7.5: 

t_httpsZvmCertificateFilePassword = "MyCertPassword"

t_ZvmCertificateSubject = "X"

X = the dnsname set earlier on the certificate in step 2 above

Note: If on version 7.5 or higher, open a case with Zerto Support and request assistance to apply the necessary tweaks above as this required the "Tweaks Tool" starting in 7.5.

b. Stop the ZVM service on the machine where Zerto Virtual Replication (ZVR) is installed.

c. Go to the location where ZVR is installed (the default for 64 bit OS is "C:\\Program Files\\Zerto\\Zerto Virtual Replication"), back up the file zvm.pfx, and replace it  with the one generated in step 3 above.

d. Start the ZVM service.