Signed CA cert

  • KM02788386
  • 05-May-2017
  • 05-May-2017

Archived Content: This information is no longer maintained and is provided "as is" for your convenience.


How to renew an existing cert on Express or ESM. for CA-signed certificate


I imported a signed CA certificate and it's chain using the admin manual but yet when I run ./arcsight tempca -i
I get the following:
Manager Server Keystore
Key Store config/jetty/keystore
Type JKS
Certificate N/A
Host Name <none>
Valid N/A
From N/A
To N/A


How to renew an existing cert on Express or ESM.  for CA-signed certificate


Step 1:

Backups (Please note we use the backup in the last step so don't skip):

#For Web

cp -r /opt/arcsight/web/config/jetty/ /opt/arcsight/web/config/jetty.bak/

cp /opt/arcsight/web/jre/lib/security/cacerts /opt/arcsight/web/jre/lib/security/cacerts.bak


#For Manager

cp -r /opt/arcsight/manager/config/jetty/ /opt/arcsight/manager/config/jetty.bak/

cp /opt/arcsight/manager/jre/lib/security/cacerts /opt/arcsight/manager/jre/lib/security/cacerts.bak


Step 2:

you should use mykey as the private key alias , here is how you check what your current private key alias is.

#Check Alias

/opt/arcsight/manager/bin/arcsight keytool -store managerkeys -list

This should have an output similar to this:


/opt/arcsight/manager/bin/arcsight keytool -store managerkeys -list


Assuming ARCSIGHT_HOME: /opt/arcsight/manager

Assuming JAVA_HOME: /opt/arcsight/manager/jre


ArcSight Keytool Wrapper starting...


ArcSight Keytool Wrapper

Registered default configuration as NGPropertiesFileConfiguration [_defaultsFileName=config/, _localFileName=config/]

Using key store: /opt/arcsight/manager/config/jetty/keystore (JKS)


Keystore type: JKS

Keystore provider: SUN


Your keystore contains 1 entry


mykey, Apr 14, 2017, PrivateKeyEntry,

Certificate fingerprint (SHA1): BA:7A:A7:C0:B6:77:00:B7:E1:F6:A5:AA:92:6F:01:1D:7F:25:45:A8


Notice there is only one entry in the keystore and the alias is mykey.


*****If the name of the private key is not mykey make sure to use alias name in this step for step3 ****


Step 3.

Did you check the alias name in step 2? If not, go home.

#Request Renewal CSR

/opt/arcsight/manager/bin/arcsight keytool -store managerkeys -certreq -alias mykey -file /tmp/certrequest.csr


Step 4.

#Send CSR to your Cert Vendor


Step 5.

#If the new Cert has a different Root, Intermediate, or Issuing CAs you will need to import the new certs to the cacerts

This assumes only the issuing and intermediate servers changed, the Issuing Cert is in /tmp/IssuingCA.cer, the Intermediate cert is /tmp/InterCA.cer, and the alias you want to use are NEW_ISSUING_CA and NEW_INTER_CA



/opt/arcsight/manager/bin/arcsight  keytool -importcert -alias NEW_ISSUING_CA  -file /tmp/IssuingCA.cer -store clientcerts -keystore /opt/arcsight/manager/jre/lib/security/cacerts


/opt/arcsight/manager/bin/arcsight  keytool -importcert -alias NEW_INTER_CA  -file /tmp/InterCA.cer -store clientcerts -keystore /opt/arcsight/manager/jre/lib/security/cacerts


Step 6.

#Import new received Cert

/opt/arcsight/manager/bin/arcsight keytool -importcert -alias mykey -trustcacerts -file /tmp/careply.cer  -store managerkeys -keystore /opt/arcsight/manager/config/jetty/keystore


Step 7.

#Updating Web Certs, Removing old CAcerts file and replacing with new one (This step only needed if you made changes to the managers cacerts file)

rm /opt/arcsight/web/jre/lib/security/cacerts

cp /opt/arcsight/manager/jre/lib/security/cacerts /opt/arcsight/web/jre/lib/security/cacerts


Step 8.

#Remove old web jetty folder and copy from manager jetty (Backup already created)

rm -rf /opt/arcsight/web/config/jetty

cp -r /opt/arcsight/manager/config/jetty/ /opt/arcsight/web/config/jetty


Step 9.

#Update names for web to use it:

mv /opt/arcsight/web/config/jetty/keystore /opt/arcsight/web/config/jetty/webkeystore

mv /opt/arcsight/web/config/jetty/truststore /opt/arcsight/web/config/jetty/webtruststore

mv /opt/arcsight/web/config/jetty/nssdb /opt/arcsight/web/config/jetty/webnssdb


Step 10.

#Need webserver.xml file from backup

cp /opt/arcsight/web/config/jetty.bak/webserver.xml /opt/arcsight/web/config/jetty/.


Step 11.

Restart the arcsight services.