Backup and restore certificates

It is important to keep a backup of the certificates for the management server on which the certificate server runs. Otherwise, if you lose or corrupt the management server's certificates, you would need to reissue every node certificate.

You can backup the certificates to files, which you should remove from the management server and store securely. You need to backup three certificates from management server:

• Management server certificate (the certificate authority certificate)
• Trusted certificate (or several trusted certificates if you imported more from other management servers)
• Node certificate (because the management server is also a node)

To backup certificates

1. Backup the management server certificate using the following command:

   ovcm -exportcacert -file <file> [-pass <pass_phrase>]
   

   The command generates a file with the name that you specify. If you specify the -pass option and the pass phrase contains spaces, surround it with quotation marks (""). If you omit the -pass option, the command prompts you for a password.

2. Backup the trusted certificate(s) to a file using the following command:

   ovcert -exporttrusted -ovrg server -file <file>
   

   The command generates a file with the name that you specify.

3. Find the alias of the node certificate using the following command:

   ovcert -list -ovrg server
   

   The alias of the node certificate is the long sequence of characters, which appears under the heading "Certificates". For example:

   +---------------------------------------------------------+
   
   | Keystore Content (OVRG: server)						 |
   
   +---------------------------------------------------------+
   
   | Certificates:										 |
   
   |	 cdc7b5a2-9dd6-751a-1450-eb556a844b55 (*)			|
   
   +---------------------------------------------------------+
   
   | Trusted Certificates:								 |
   
   |	 CA_cdc7b5a2-9dd6-751a-1450-eb556a844b55 (*)		 |
   
   +---------------------------------------------------------+
   

   Backup the node certificate using the following command:

   ovcert -exportcert -file <file> -alias <alias> [-pass <pass_phrase>]
   

   The command generates files with the names that you specify. If you specify the -pass option and the pass phrase contains spaces, surround it with quotation marks (""). If you omit the -pass option, the command prompts you for a password.

To restore certificates

1. Restore the management server certificate using the following command:

   ovcm -importcacert -file <file> [-pass <pass_phrase>]
   

   The command restores the certificate from a file with the name that you specify. To restore the certificate, you need the pass phrase that was used to create the file. If you specify the -pass option and the pass phrase contains spaces, surround it with quotation marks (""). If you omit the -pass option, the command prompts you for the password.

2. Restore the trusted certificate using the following command:

   ovcert -importtrusted -file <file>
   

3. Restore the node certificate using the following command:

   ovcert -importcert -file <file> [-pass <pass_phrase>]
   

   The command imports the certificates from the file.