Change Groundplex certificate

Groundplexes have self-signed CA certificates. This certificate works for client validation if the client is configured to accept all certificates or if the load balancer distributing requests to Groundplex nodes:

  • Has a CA certificate
  • Is configured to terminate connections

If your clients or load balancer can't be configured in this way, you need to use your own CA certificate on your Groundplexes. Use either a wildcard certificate or a unique certificate per node, update the keystore on each Snaplex node, and restart it.

To update the certificate on a node:

  1. Create a backup copy of the /etc/snaplogic/jcc-serverkeys.jks file.
  2. Concatenate your certificate's PEM-encoded files into a single file:



    CA-SIGNED-PEM is the CA-signed TLS (SSL) certificate (PEM encoded).

    CA-INTERMEDIATE-PEM is the CA intermediate certificate (PEM encoded).

    CA-ROOT-PEM is the CA root certificate (PEM encoded).

  3. Use the following openssl command to generate a key_no_pass.pem. If there is a password associated with the private key, you must provide it to generate key_no_pass.pem:
    $ openssl rsa -in PRIVATE_KEY -out key_no_pass.pem


    PRIVATE_KEY is the private key used to create the CSR (PEM encoded).

  4. Use the following openssl command to generate the PFX file:
    $ openssl pkcs12 -inkey key_no_pass.pem -in sl-ca-chain.pem -export -out sl-ca-chain.p12 -name jetty -password $(cat /etc/snaplogic/jcc-serverkeys.pass)
  5. Use the keytool command to import the PFX file into jcc-serverkeys.jks:
    $ keytool -importkeystore -srckeystore PATH-TO-SL-CA-CHAIN-P12 -srcstoretype PKCS12 -srcstorepass $(cat /etc/snaplogic/jcc-serverkeys.pass) -destkeystore /etc/snaplogic/jcc-serverkeys.jks -deststoretype JCEKS -deststorepass $(cat /etc/snaplogic/jcc-serverkeys.pass)


    PATH-TO-SL-CA-CHAIN-P12 is the absolute path to the sl-ca-chain.p12 file created earlier.

  6. Use the SnapLogic Dashboard to restart the Groundplex node. Check to make sure that the node enters a steady state and allow time for running Pipelines to complete.

  7. (Optional) Use the openssl command to verify that the TLS (SSL) certificate served by the node matches the CA-signed TLS (SSL) certificate.

    $ openssl s_client -connect localhost:SECURE-PORT


    SECURE-PORT is 8081 (default) for a Groundplex or 8084 (default) for a FeedMaster node.

  8. Repeat Steps 1 through 7 for all applicable nodes.