How to generate a new set of self-signed certs for the Portal without having to reconfigure it completely
How to regenerate self-signed certs with a new expiration date
How to regenerate self-signed certs with new/additional SAN entries
All supported releases
You cannot update a self-signed certificate due to the way they function. The only way to "update" an environment using one when it expires it to generate a new one.
You can either do this via SslConfig if ok with a single SAN entry for the hostname or manually as listed below if you need more than one SAN:
1. Identify the current keystore's name, password, and alias of the keypair within
2. Create a new keystore with the below command, ensuring the above items align:
/opt/CA/jre/bin/keytool -genkeypair -noprompt -dname "CN=<FQHN, OU=<ORGANZATIONAL_UNIT>, O=<ORGANIZATION>, L=<LOCATION/CITY>, S=<STATE>, C=<2_LETTER_COUNTRY_CODE>" -keystore /tmp/<KEYSTORE_NAME> -storepass <KEYSTORE_PASSWORD> -keyalg RSA -keysize 2048 -keypass <KEYSTORE_PASSWORD> -ext SAN=dns:<FQHN>,ip:<IP_ADDRESS> -validity 365 -alias <ALIAS NAME>
3. Export the cert just created
/opt/CA/jre/bin/keytool -exportcert -keystore /tmp/<KEYSTORE_NAME> -storepass <KEYSTORE_PASSWORD> -alias <ALIAS NAME> -file /tmp/new_cert.cer
4. Import the cert into Portal's cacerts (and into Spectrum's keystore if necessary)
/opt/CA/jre/bin/keytool -importcert -cacerts -storepass <KEYSTORE_PASSWORD> -alias portal<date> -file /tmp/new_cert.cer
5. Stop all 4 caperfcenter_* services
6. Move the existing keystore out of the way:
mv /opt/CA/PerformanceCenter/jetty/etc/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore.bak
7. Copy the new keystore into place:
cp /tmp/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore
8. Start all 4 caperfcenter_* services