How can we update a self-signed certificate?
search cancel

How can we update a self-signed certificate?

book

Article ID: 281089

calendar_today

Updated On: 03-22-2024

Products

Network Observability CA Performance Management

Issue/Introduction

How to generate a new set of self-signed certs for the Portal without having to reconfigure it completely

How to regenerate self-signed certs  with a new expiration date

How to regenerate self-signed certs  with new/additional SAN entries

Environment

All supported releases

Cause

You cannot update a self-signed certificate due to the way they function.  The only way to "update" an environment using one when it expires it to generate a new one.

Resolution

You can either do this via SslConfig if ok with a single SAN entry for the hostname or manually as listed below if you need more than one SAN:

1. Identify the current keystore's name, password, and alias of the keypair within

2. Create a new keystore with the below command, ensuring the above items align:

/opt/CA/jre/bin/keytool -genkeypair -noprompt -dname "CN=<FQHN, OU=<ORGANZATIONAL_UNIT>, O=<ORGANIZATION>, L=<LOCATION/CITY>, S=<STATE>, C=<2_LETTER_COUNTRY_CODE>" -keystore /tmp/<KEYSTORE_NAME> -storepass <KEYSTORE_PASSWORD> -keyalg RSA -keysize 2048 -keypass <KEYSTORE_PASSWORD> -ext SAN=dns:<FQHN>,ip:<IP_ADDRESS> -validity 365 -alias <ALIAS NAME>

3. Export the cert just created

/opt/CA/jre/bin/keytool -exportcert -keystore /tmp/<KEYSTORE_NAME> -storepass <KEYSTORE_PASSWORD> -alias <ALIAS NAME> -file /tmp/new_cert.cer

4. Import the cert into Portal's cacerts (and into Spectrum's keystore if necessary)

/opt/CA/jre/bin/keytool -importcert -cacerts -storepass <KEYSTORE_PASSWORD> -alias portal<date> -file /tmp/new_cert.cer

5. Stop all 4 caperfcenter_* services

6. Move the existing keystore out of the way:

mv /opt/CA/PerformanceCenter/jetty/etc/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore.bak

7. Copy the new keystore into place:

cp /tmp/keystore /opt/CA/PerformanceCenter/jetty/etc/keystore

8. Start all 4 caperfcenter_* services