Manually Updating the CA Certificate on a Data Encrypted VM

When you install a new SSL certificate on KeyControl, KeyControl automatically updates the associated CA certificate on all registered VMs. If a data-drive encrypted VM was inaccessible during this process, the encrypted drives may become inaccessible because the CA certificate the VM is using can no longer verify the KeyControl SSL certificate. This means that the VM cannot retrieve the proper keys from KeyControl because it cannot verify the communication coming from KeyControl.

To fix this issue you need to manually update the CA certificate on the VM so that it can verify the SSL certificate KeyControl is currently using. This allows the VM to verify KeyControl's identity and to retrieve the appropriate keys.

The following procedure is for VMs with encrypted data drives only. For other types of VMs, see Manually Updating the CA Certificate on a Windows Boot Drive Encrypted VM or Manually Updating the CA Certificate on a Linux Root Drive Encrypted VM.

Procedure 

  1. If you need a copy of the CA certificate that can verify the SSL certificate that KeyControl is currently using: 

    2. Log into the KeyControl Vault for VM Encryption using an account with Cloud Admin privileges.
    3. In the top menu bar, click Workloads.

    4. Select Actions > Download CA Certificate.

      The KeyControl Vault for VM Encryption downloads a pem file to your browser's default download location.

    Note: If you are using an externally signed SSL certificate for KeyControl, make sure that you use the CA certificate you download from the KeyControl Vault for VM Encryption on all registered VMs. Do not use the CA certificate that you received from the external certificate authority.

  2. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.
  3. Copy the KeyControl Vault for VM Encryption CA certificate pem file to the VM.

  4. Enter the command hcl update_ca -f /path/to/cert.pem, where /path/to/cert.pem is the path to the CA certificate file.

    # hcl update_ca -f /etc/ssl/certs/171012172410_cacert.pem
				
Updating using cert file at: 171012172410_cacert.pem
Updated CA certificate
  5. Enter the command hcl heartbeat to prompt the VM to contact KeyControl. This updates the status information for the VM.
  6. Enter the command hcl status to confirm that the last heartbeat between the VM and KeyControl was successful.