Manually Updating the CA Certificate on a Data Encrypted VM

When you install a new SSL certificate on Cryptographic Security Platform Vault, Cryptographic Security Platform Vault automatically updates the associated CA certificate on all registered VMs. If a data-drive encrypted VM was inaccessible during this process, the encrypted drives may become inaccessible because the CA certificate the VM is using can no longer verify the Cryptographic Security Platform Vault SSL certificate. This means that the VM cannot retrieve the proper keys from Cryptographic Security Platform Vault because it cannot verify the communication coming from Cryptographic Security Platform Vault.

To fix this issue you need to manually update the CA certificate on the VM so that it can verify the SSL certificate Cryptographic Security Platform Vault is currently using. This allows the VM to verify Cryptographic Security Platform Vault's identity and to retrieve the appropriate keys.

The following procedure is for VMs with encrypted data drives only. For other types of VMs, see Manually Updating the CA Certificate on a Windows Boot Drive Encrypted VM or Manually Updating the CA Certificate on a Linux Root Drive Encrypted VM.

Procedure 

  1. If you need a copy of the CA certificate that can verify the SSL certificate that Cryptographic Security Platform Vault is currently using: 

    2. Log into the Cryptographic Security Platform Vault for VM Encryption using an account with Cloud Admin privileges.
    3. In the top menu bar, click Workloads.

    4. Select Actions > Download CA Certificate.

      The Cryptographic Security Platform Vault for VM Encryption downloads a pem file to your browser's default download location.

    Note: If you are using an externally signed SSL certificate for Cryptographic Security Platform Vault, make sure that you use the CA certificate you download from the Cryptographic Security Platform Vault for VM Encryption on all registered VMs. Do not use the CA certificate that you received from the external certificate authority.

  2. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.
  3. Copy the Cryptographic Security Platform Vault for VM Encryption CA certificate pem file to the VM.

  4. Enter the command hcl update_ca -f /path/to/cert.pem, where /path/to/cert.pem is the path to the CA certificate file.

    # hcl update_ca -f /etc/ssl/certs/171012172410_cacert.pem
				
Updating using cert file at: 171012172410_cacert.pem
Updated CA certificate
  5. Enter the command hcl heartbeat to prompt the VM to contact Cryptographic Security Platform Vault. This updates the status information for the VM.
  6. Enter the command hcl status to confirm that the last heartbeat between the VM and Cryptographic Security Platform Vault was successful.