Renewing a VM Certificate

If you have disabled the KeyControl Vault for VM Encryption auto-certificate renewal feature, you can reauthenticate a VM with a new certificate manually through the CLI or the KeyControl Vault for VM Encryption webGUI.

Note: This procedure updates the VM's certificate with KeyControl Vault for VM Encryption. If you need to update the KeyControl Vault for VM Encryption certificate stored on the VM, see Manually Updating the CA Certificate on a Data Encrypted VM.

  1. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.

  2. Enter the command hcl updatecert -a [-u username -p password] [-e certificate expiration], where:

    • -a tells hcl to contact KeyControl to get the new certificate.
    • -u is a KeyControl user account with Cloud Admin privileges. If you do not enter a user account name you will be prompted for one.
    • -p is the password for the KeyControl user account. If you do not enter a password you will be prompted for one.
    • -e is the certificate expiration date in the format MM/DD/YYYY. If you do not enter an expiration date, KeyControl uses the default date set in the Certificate Expiration option for the Cloud VM Set that this VM belongs to. The default is one year from the creation date.

    For example:

    # hcl updatecert -a -u CloudAdmin -p password -e 06/30/2025

  1. Log into the KeyControl Vault for VM Encryption using an account with Cloud Admin privileges.
  2. In the top menu bar, click Workloads.

  3. Select the VM for which you want to renew the certificate.

    Important: If the VM is located in the Unauthenticated VMs tab, then you will need to run the Rescue Authentication command in the KeyControl Vault Management webGUI before you can renew the certificate. This command resets the authentication and will move the VM back to the VMs tab. For more details, see Re-Authenticating a VM with an Encrypted Root Device or Boot Disk.

  4. Select Actions > Renew Certificate.

  5. In the Renew Certificate dialog box, enter the passphrase for the certificate. This passphrase is optional but recommended for added security.
  6. If desired, change the default certificate expiration date.

  7. When you are done, click Renew. KeyControl Vault for VM Encryption generates a new certificate with the .cert extension and downloads it to your browser's default download location.

    Important: Do not change the name of the certificate file. If you do, the reauthorization will fail.

  8. Copy the certificate to the VM.
  9. For Linux, log into the VM as root. For Windows, log in as a System Administrator and open a Command Prompt or start Windows PowerShell.

  10. Enter the command hcl updatecert [-p certificate_passphrase] /path/to/cert.cert, where:

    • -p is the passphrase for the certificate you specified in the KeyControl Vault for VM Encryption webGUI. If you do not enter a passphrase and the certificate requires one, you will be prompted for the passphrase.
    • /path/to/cert.cert is the fully-qualified name of the certificate file you copied to the VM.

    For example:

    # hcl updatecert -p onetimepassphrase16chars /hytrust/cert.cert