Manually Updating the CA Certificate on a Data Encrypted VM

When you install a new SSL certificate on KeyControl Vault, KeyControl Vault automatically updates the associated CA certificate on all registered VMs. If a data-drive encrypted VM was inaccessible during this process, the encrypted drives may become inaccessible because the CA certificate the VM is using can no longer verify the KeyControl Vault SSL certificate. This means that the VM cannot retrieve the proper keys from KeyControl Vault because it cannot verify the communication coming from KeyControl Vault.

To fix this issue you need to manually update the CA certificate on the VM so that it can verify the SSL certificate KeyControl Vault is currently using. This allows the VM to verify KeyControl Vault's identity and to retrieve the appropriate keys.

The following procedure is for VMs with encrypted data drives only. For other types of VMs, see Manually Updating the CA Certificate on a Windows Boot Drive Encrypted VM or Manually Updating the CA Certificate on a Linux Root Drive Encrypted VM.

Procedure 

  1. If you need a copy of the CA certificate that can verify the SSL certificate that KeyControl Vault is currently using: 

    1. Log into the KeyControl webGUI using an account with Cloud Admin privileges.
    2. In the top menu bar, click Cloud.

    3. Select Actions > Download CA Certificate.

      KeyControl Vault downloads a pem file to your browser's default download location.

    Note: If you are using an externally signed SSL certificate for KeyControl Vault, make sure that you use the CA certificate you download from KeyControl Vault on all registered VMs. Do not use the CA certificate that you received from the external certificate authority.

  2. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.
  3. Copy the KeyControl Vault CA certificate pem file to the VM.

  4. Enter the command hcl update_ca -f /path/to/cert.pem, where /path/to/cert.pem is the path to the CA certificate file.

    # hcl update_ca -f /etc/ssl/certs/171012172410_cacert.pem
				
Updating using cert file at: 171012172410_cacert.pem
Updated CA certificate
  5. Enter the command hcl heartbeat to prompt the VM to contact KeyControl Vault. This updates the status information for the VM.
  6. Enter the command hcl status to confirm that the last heartbeat between the VM and KeyControl Vault was successful.