Recently I experienced a problem with my vRealize Log Insight Cluster I imported in vRealize Lifecycle Manager (vRSLCM). I wanted to extend my cluster for one additional node, but that was not possible because vRSLCM requires an SSL certificate for Log Insight in Locker to proceed with the installation. I had a CA-signed certificate but my private key was missing.

Here is how can you recover your private key from the Log Insight keystore. Log into the vRLI Appliance Master Node as root via SSH or Console, pressing ALT+F1 in a Console to log in.

First Look into the /storage/core/loginsight/config/ directory and note the loginsight-config.xml# file with the highest number, and run the following command and note the provided password:

 cat /storage/core/loginsight/config/loginsight-config.xml#65 | grep keystore

 now change to the following directory :

 /cd /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.65/conf/

find your certificate alias:

  /usr/java/default/bin/keytool -list -keystore keystore

in my case alias is tomcat.

  /usr/java/default/bin/keytool -exportcert -keystore keystore -rfc -alias tomcat -file        /tmp/rootcert.pem

so, now you have to extract private key, but keytool is not able to do it. Solution for this is to convert your keystore with following command:

/usr/java/default/bin/keytool -importkeystore -srckeystore keystore -destkeystore /tmp/keystorepkcs12.p12 -deststoretype PKCS12

after successfully converting your keystore you can read your private key with OpenSSL tools. Just try following command:

openssl pkcs12 -in /tmp/keystorepkcs12.p12 -nocerts -nodes

Now you should have your CA signed certificate and private key to import in your vRealize Lifecycle Manager.