Manually Updating the CA Certificate on a Windows Boot Drive Encrypted VM

When you install a new SSL certificate on KeyControl, KeyControl automatically updates the associated CA certificate on all registered VMs. If a Windows boot-drive-encrypted VM was inaccessible during this process, that VM may not be able to boot because the CA certificate the VM is using can no longer verify the KeyControl SSL certificate. This means that the VM cannot retrieve the proper keys from KeyControl because it cannot verify the communication coming from KeyControl.

To fix this issue you need to manually update the CA certificate on the VM so that it can verify the SSL certificate KeyControl is currently using. This allows the VM to verify KeyControl's identity and to retrieve the appropriate keys.

The following procedure is for Windows VMs with an encrypted boot drive. For other types of VMs, see Manually Updating the CA Certificate on a Linux Root Drive Encrypted VM or Manually Updating the CA Certificate on a Data Encrypted VM.

Procedure 

1. If you need a copy of the CA certificate that can verify the SSL certificate that KeyControl is currently using: 

   2. Log into the KeyControl Vault for VM Encryption using an account with Cloud Admin privileges.
   2. In the top menu bar, click Workloads.

   3. Select Actions > Download CA Certificate.

   4. The KeyControl Vault for VM Encryption downloads a pem file to your browser's default download location.

   Note: If you are using an externally signed SSL certificate for KeyControl, make sure that you use the CA certificate you download from KeyControl Vault for VM Encryption on all registered VMs. Do not use the CA certificate that you received from the external certificate authority.

2. If needed, reboot the VM and wait for the Console menu to appear.

   If you are unable to view the console directly, for example in environments such as Amazon Web Services (AWS), you can access the console using an SSH client. This requires the id_rsa key file generated during the Policy Agent installation. Copy the id_rsa file to the server an then reboot.

   Tip: If you need another copy of the id_rsa key file, you can download it from the KeyControl webGUI by selecting the VM on the Cloud > VMs tab and then selecting Actions > Download Bootloader SSH Key.

3. From the Console menu, select Drop to shell.
4. Copy the KeyControl Vault for VM Encryption certificate pem file to the VM.

5. Enter the command hcl update_ca -f /path/to/cert.pem, where /path/to/cert.pem is the path to the certificate file.

   # hcl update_ca -f /etc/ssl/certs/171012172410_cacert.pem
   				
   Updating using cert file at: 171012172410_cacert.pem
   Updated CA certificate
   

6. After the certificate is successfully updated, enter the command touch /opt/hcs/etc/updatecert to tell the hcl service that the certificate has changed. The hcl service then syncs the change from the Bootloader back to the client installation directory.

   # touch /opt/hcs/etc/updatecert
   

7. Enter the command exit to leave the secure shell.
8. Select Boot Windows with encryption key. KeyControl reboots the VM using the updated KeyControl certificate.
9. If the VM reboots but displays an error that it needs to be authenticated, select Reauthenticate from the Console menu.

10. To verify that the VM is connected to KeyControl:

    1. Open a Command Prompt on the VM.
    2. Enter hcl heartbeat to force the VM to communicate with KeyControl and update the connection status.
    3. Enter hcl status to verify the connection status.

    C:\users\administrator> hcl heartbeat
    C:\users\administrator> hcl status
    
    Summary
    --------------------------------------------------------------------------------
    KeyControl: 10.238.65.65:443
    KeyControl list: 10.238.65.65:443 10.238.65.66:443
    KeyControl Mapping: kc41-nodes
    Status: Connected
    Last heartbeat: Tue Oct 24 22:30:32 2017 (successful)
    AES_NI: enabled
    Certificate Expiration: Sep 11 22:16:13 2020 GMT