Updating the TLS Certificate
For security purposes, you are advised to periodically update the certificate.
If the TLS certificate expires, you need to update the certificate on each node. The procedure for updating a certificate is the same as that for generating a certificate.
- Go to the certificate script directory.
cd /opt/certtool/certificate
- Destroy old keys.
To ensure that all old keys are completely destroyed, use 0, 1, or secure random numbers to overwrite all key files for more than three times.
Example:
Overwriting with all 0s: dd if=/dev/zero of=/opt/gcache/secure/Certs/agent.private.key.pem bs=1 count=3326 (The value of count is subject to the actual file size.)
Overwriting with all 1s: tr '\000' '\377' < /dev/zero | dd of=/opt/gcache/secure/Certs/agent.private.key.pem bs=1 count=3326
(The value of count is subject to the actual file size.)
Overwriting with random numbers: dd if=/dev/random of=/opt/gcache/secure/Certs/agent.private.key.pem bs=1 count=3326
(The value of count is subject to the actual file size.)
rm -rf /opt/gcache/secure/Certs
- Run cert_manager.sh.
sh cert_manager.sh [ops_type] [ops_user] [run_user] [agent_node_list] [CA_node_list] [make_req/fetch_cert]
Parameters in the command are described as follows:
Parameter
Description
ops_type
create_cert indicates that a certificate is created. update_key indicates that no certificate is created and only the KMC key is updated.
ops_user
Operation user.
run_user
Run user.
agent_node_list
Creates a certificate node list.
CA_node_list
Creates a root certificate node list.
step
The make_req option indicates that the node generates a certificate request and sends it to the specified directory on the CA server. The fetch_cert option indicates that the node obtains the device certificate and root certificate from the CA server.
Generate a certificate request for the device node (perform this step on the selected server).sh cert_manager.sh create_cert globalcacheop globalcacheop agent_node_list CA_node_list make_req
Enter the passwords of the operation user, agent, and CA account and the encryption password. The password must contain a minimum of six characters, including letters, digits, and special characters.
Enter OPS user password: # Password of the operation user Enter Agent password: # Password of the agent node account Enter CA password: # Password of the CA node account Enter Password: # Encryption password (enter for the first time) ****** Verifying - Enter Password: # Encryption password (enter for the second time) ******
- On the CA node, issue the device node certificate based on the CSR file of the device node. (Perform this step on your root certificate server.)
If the test is performed based on Configuring the Certificate Authority, run the following command on the CA server to generate a certificate.
openssl ca -in /opt/gcache/secure/CACerts/csr/${agentip}.agent.csr -out /opt/gcache/secure/CACerts/certs/${agentip}.agent.cert.pem -days 3650 -config /opt/gcache/secure/CACerts/openssl.cnf # Replace ${agentip} with the actual agent IP address. - Obtain the device certificate and root certificate from the root certificate node, and enter the passwords of the operation user, agent, and CA O&M account.
sh cert_manager.sh create_cert globalcacheop globalcacheop agent_node_list CA_node_list fetch_cert
Enter the passwords of the operation user, agent, and CA O&M account and the encryption password. The password requirement is the same as that in step 1. After the execution is complete, the files required for security purposes are generated.