This guide provides the steps to update an existing airgap server certificate.

Existing airgap server certificate is expired that requires certificate replacement.

Prerequisites

User prepares the certificate to assign to the airgap server in case custom-bring certificate is preferred.

Procedure

  1. Login to airgap server via SSH.
  2. Prepare airgap user-inputs.yml.
    • Specify a customer-bring certificate suite path

    • Generate new certificate suite automatically

    Option 1: Customer-bring certificate.

    1. Copy the certificate suite to the airgap server.

    2. Modify following parameters in scripts/vars/usr-inputs.yml. If user-inputs.yml doesn't exist, copy deploy-user-inputs.yml as user-inputs.yml, then modify it.

    Set auto_generate parameter with false, and configure following parameters:

    server_cert_path

    Certificate file absolute path. The certificate could be self-signed private CA signed or public CA signed. For private CA signed or public CA signed case, the certificate file is suggested to be a chained certificate, which contain the server certificate appended with the CA certificate signed it, all the intermediate CA certificates if any.

    server_cert_key_path

    Server certificate key file absolute path.

    ca_cert_path

    Trusted root CA or self-signed certificate absolute path. Required only when provided server certificate couldn't be verified with known root CAs. Otherwise configure it with "".

    Save and close user-inputs.yml

    Option 2: Auto-generate certificate.

    1. Delete existing generated under root/airgap/certs/.

    2. Modify following parameters in scripts/vars/user-inputs.yml. If user-inputs.yml doesn't exist, copy deploy-user-inputs.yml as user-inputs.yml, then modify it.

    Set auto_generate parameter with true, and configure following parameters:

    cert_ca_common_name

    Common Name of CA certificate. It MUST be different from airgap server FQDN, as server_fqdn in user-inputs.yml is used as the common name of airgap server certificate.

    cert_country_name

    2 letter abbreviation for the country name.

    cert_state_name

    State name within the provided country name.

    cert_county

    County name within the state name provided.

    cert_organization

    Company's name.

    cert_bu

    Business unit name within the company.

    Save and close user-inputs.yml.

  3. Run deploy ansible playbook of airgap scripts.
    # [ ~/airgap ] agctl deploy

    Check deploy log under /usr/local/airgap/logs/ to get the task progress and results.

    The updating succeeds if the final results show no error.

    # [ ~/airgap ] tail ansible_deploy_<timestamp>.log
    PLAY RECAP *********************************************************************
    localhost                  : ok=85   changed=45   unreachable=0    failed=0    skipped=76   rescued=0    ignored=0

What to do next

If the airgap server is updated with self-signed certificate or private root signed certificate, it is required to update TCA manager mongo DB and existing clusters with the new CA certificate.