Replacing the SSL Certificates

*This documentation section describes the LifeKeeper Web Management Console (LKWMC). Refer to the LifeKeeper Web Management Console for an overview.

The SSL certificates used to establish a secure HTTPS connection with the LKWMC can be replaced with custom user-provided certificates.

In the LKWMC, SSL/TLS is used for communication between the web browser and the REST API, and between the REST API and LifeKeeper Core. By default, a default certificate is installed that enables a certain level of identity verification between nodes. This page explains how to replace the default certificate with a certificate created by the organization’s own Certificate Authority (CA).

How to use the Certificate

The following two certificates are used.

• <LKROOT>\cert\LKValidNode.pem (server certificate)
• <LKROOT>\cert\LKCA.pem (certificate authority)
  

The initial certificate requires a signature from the CA certificate to pass the server’s validation. The certificate’s common name is not validated. Note that the certificate is only signed by the CA.

How to use a Custom Certificate

Depending on the operational environment, it may require replacing the default certificates with certificates created by an internal CA or a commercial CA. In such cases, replace the two types of certificates mentioned above with new certificates having the same certificate filename. These certificates are PEM format. LKValidNode.pem contains both the key and the certificate. The LKValidNode.pem certificate is a server-type certificate.

If you replace the default certificate, you must restart the following two services for the changes to take effect:

• LifeKeeper REST API
• LifeKeeper Web Management Console
  

If the certificate settings are incorrect, the service will fail to start and an error will be recorded in the Windows event log. If problems occur, refer to the event log.