Replacing TLS certificate - SaltStack Enterprise 6.0 and higher

To replace an expiring TLS certificate for SaltStack Enterprise:

1. Refer to the SSE configuration file on your SSE server in /etc/raas/raas. Look for the following configuration entries.

     tls_crt: /etc/pki/raas/certs/localhost.crt
     tls_key: /etc/pki/raas/certs/localhost.key
   

   Note: The above is an example, your certificates might be in a different location.

2. Back up the tls_crt and tls_key files referenced above.

3. Obtain a renewed certificate and associated key and copy the files into the same location, giving them the same names.

   Note: Alternatively you may relocate the files elsewhere as long as the entries above point to the correct place.

4. Verify that the raas user owns these files and they have permissions 600 (or -rw------- ).

   Note: SaltStack Enterprise runs solely as an unprivileged user named raas.

5. Verify that the raas user can access the files if parent directories have differing permissions.

6. Restart the SSE server.

   systemctl restart raas

7. Wait a few seconds, then verify that SSE is up and running.

   systemctl status raas

8. Visit the SSE URL in your browser to verify that the webserver is serving content. Using your browser's tools, check the details on the certificate being served to validate that it is the expected certificate with the desired expiration date.

Replacing TLS certificate - SaltStack Enterprise 5.5.2 and lower

To replace an expiring TLS certificate for SaltStack Enterprise:

1. Complete steps 1-3 of Replacing TLS certificate, SSE 6.0 and higher above.

2. Restart the SSE server.

   systemctl stop raas

   Check to make sure all the RaaS processes have stopped.

   systemctl start raas

3. Complete steps 7-8 of Replacing TLS certificate, SSE 6.0 and higher above.