The TCA Airgap appliance supports auto-generating a root CA certificate, and a server certificate signed by it. It has 10 years of expiration time. This section describes how to regenerate them with new settings.

Procedure

  1. Login to the TCA Airgap appliance using SSH admin account then switch to root with su to use agctl command.
  2. Backup the existing certificates and remove all the files that start with FQDN.
    Caution:

    In case you do not wish to regenerate the root CA certificate, leave the ca.* file, especially if it is already configured into some VMware Telco Cloud Automation system.

    /usr/local/airgap
cp -r certs certs.backup
cd certs
rm <fqdn>.*
rm v3.ext
  3. Edit /usr/local/airgap/scripts/vars/user-inputs.yml by using the following command: 
    vi /usr/local/airgap/scripts/vars/user-inputs.yml

    Update the following settings on demand. For more parameter details, see Agctl CLI Command Reference.

    Set the auto_generate parameter as True, and configure the following parameters:

    cert_ca_common_name

    Common Name of CA certificate. It must be different from the Airgap appliance. FQDN, as server_fqdn in user-inputs.yml is used as the common name of the Airgap appliance server certificate.

    cert_country_name

    Two letter abbreviation for the country name.

    cert_state_name

    State name within the provided country.

    cert_county

    County name within the state name provided.

    cert_organization

    Company's name.

    cert_bu

    Business unit name within the company.

    Save and run agctl deploy command to apply.

    Note:

    If the auto_generate setting is True and server_fqdn changes then agctl deploy applies the new FQDN, the certificate of the new FQDN will be generated automatically.

  4. Verify the newly generated certificate suites which are available at the following location:

    /usr/local/airgap/certs/

    Use the following command to check the certificate:

    curl https://<TCA Airgap Appliance FQDN> -v

    It is expected the output message contains SSL certificate verify ok and HTTP/1.1 200 OK. The Server certificate details in the output message are consistent with the newly generated certificate.

    What to do next?

    You can add the Airgap Repository to VMware Telco Cloud Automation as mentioned in Add an Air Gap Repository. Only the generated Root CA certificate is required to be configured into the CA Certificate field.

    If the Airgap appliance is already added to the VMware Telco Cloud Automation, and the Root CA certificate is regenerated, follow the instructions as mentioned in the Importing new Airgap Appliance CA Certificate to the TCA System.