Problem

How to manually update Secure Relay certificates after PassPort 2019 certificate renewal ?

Resolution

Once Passport is updated, the new root certificate must be manually configured in the UI (from the samples, where it was delivered).

6.17.3 SP3- Delivered in GA on March 28, 2019 - new root certificate delivered as sample
6.16.1 SP8- Will be delivered in GA on May 30, 2019- new root certificate delivered as sample.
Deliverables to be combined with procedure, see Comments column.
Here is the procedure:

This procedure should be applied when Gateway is used with Passport that was updated to SP20 (delivering the new certificate chain).

1. Install Gateway 6.16.1 SP8 (or 6.17.3 SP3), that ship the new common root certificate provided by Passport.
2. Configure Passport AM in Gateway

If Gateway is not registered in PassPort, follow these steps:

• configure the Passport CA certificate in order to use the new sample PassportRootCa.crt
• pelencpass encrypt_pass -encis test -encpwd System01 -saltf %p_database%\pploginsalt.dat -dkf %p_database%\pplogindk.dat -encf %p_database%\pploginpass.dat (where System01 is the password for the user system)
• pelencpass encrypt_pass -encis test -encpwd secret -saltf %p_home_dir%\extras\PassPort\ppsssalt.dat -dkf %p_home_dir%\extras\PassPort\ppssdk.dat -encf %p_home_dir%\extras\PassPort\ppss.dat (where secret is the shared secret from PassPort)
• pelencpass encrypt_pass -encis test -encpwd something -saltf %p_database%\ppcertsalt.dat -dkf %p_database%\ppcertdk.dat -encf %p_database%\ppcertpass.dat
• peluconf set -s monitor security 3
• restart Gateway

If Gateway is already registered in PassPort, it's enough to:

• stop Gateway
• change the path to the new certificate: peluconf standalone set -s passport cert_file C:\gtw6.16.1_sp5_25Apr\Gateway\extras\PassPort\PassportRootCa.crt
• start Gateway
  
  Related articles
  https://support.axway.com/kb/180293/language/en
  https://support.axway.com/kb/180303/language/en