This guide provides the steps to update an existing airgap server certificate.
Existing airgap server certificate is expired that requires certificate replacement.
Prerequisites
User prepares the certificate to assign to the airgap server in case custom-bring certificate is preferred.
Procedure
- Login to airgap server via SSH.
- Prepare airgap user-inputs.yml.
Option 1: Customer-bring certificate.
Copy the certificate suite to the airgap server.
Modify following parameters in scripts/vars/usr-inputs.yml. If user-inputs.yml doesn't exist, copy deploy-user-inputs.yml as user-inputs.yml, then modify it.
Set auto_generate parameter with false, and configure following parameters:
-
server_cert_path
-
Certificate file absolute path. The certificate could be self-signed private CA signed or public CA signed. For private CA signed or public CA signed case, the certificate file is suggested to be a chained certificate, which contain the server certificate appended with the CA certificate signed it, all the intermediate CA certificates if any.
-
server_cert_key_path
-
Server certificate key file absolute path.
-
ca_cert_path
-
Trusted root CA or self-signed certificate absolute path. Required only when provided server certificate couldn't be verified with known root CAs. Otherwise configure it with "".
Save and close user-inputs.yml
Option 2: Auto-generate certificate.
Delete existing generated under root/airgap/certs/.
Modify following parameters in scripts/vars/user-inputs.yml. If user-inputs.yml doesn't exist, copy deploy-user-inputs.yml as user-inputs.yml, then modify it.
Set auto_generate parameter with true, and configure following parameters:
-
cert_ca_common_name
-
Common Name of CA certificate. It MUST be different from airgap server FQDN, as server_fqdn in user-inputs.yml is used as the common name of airgap server certificate.
-
cert_country_name
-
2 letter abbreviation for the country name.
-
cert_state_name
-
State name within the provided country name.
-
cert_county
-
County name within the state name provided.
-
cert_organization
-
Company's name.
-
cert_bu
-
Business unit name within the company.
Save and close user-inputs.yml.
- Run deploy ansible playbook of airgap scripts.
# [ ~/airgap ] agctl deploy
Check deploy log under /usr/local/airgap/logs/
to get the task progress and results.
The updating succeeds if the final results show no error.
# [ ~/airgap ] tail ansible_deploy_<timestamp>.log
PLAY RECAP *********************************************************************
localhost : ok=85 changed=45 unreachable=0 failed=0 skipped=76 rescued=0 ignored=0
What to do next
If the airgap server is updated with self-signed certificate or private root signed certificate, it is required to update TCA manager mongo DB and existing clusters with the new CA certificate.