The TCA Airgap appliance supports auto-generating a root CA certificate, and a server certificate signed by it. It has 10 years of expiration time. This section describes how to regenerate them with new settings.
Procedure
- Login to the TCA Airgap appliance using SSH admin account then switch to root with
su
to useagctl
command. - Backup the existing certificates and remove all the files that start with FQDN.
Caution:
In case you do not wish to regenerate the root CA certificate, leave the
ca.*
file, especially if it is already configured into some VMware Telco Cloud Automation system./usr/local/airgap cp -r certs certs.backup cd certs rm <fqdn>.* rm v3.ext
- Edit
/usr/local/airgap/scripts/vars/user-inputs.yml
by using the following command:vi /usr/local/airgap/scripts/vars/user-inputs.yml
Update the following settings on demand. For more parameter details, see Agctl CLI Command Reference.
Set the
auto_generate
parameter asTrue
, and configure the following parameters:cert_ca_common_name
Common Name of CA certificate. It must be different from the Airgap appliance. FQDN, as
server_fqdn
inuser-inputs.yml
is used as the common name of the Airgap appliance server certificate.cert_country_name
Two letter abbreviation for the country name.
cert_state_name
State name within the provided country.
cert_county
County name within the state name provided.
cert_organization
Company's name.
cert_bu
Business unit name within the company.
Save and run
agctl deploy
command to apply.Note:If the
auto_generate
setting isTrue
andserver_fqdn
changes thenagctl deploy
applies the new FQDN, the certificate of the new FQDN will be generated automatically. - Verify the newly generated certificate suites which are available at the following location:
/usr/local/airgap/certs/
Use the following command to check the certificate:
curl https://<TCA Airgap Appliance FQDN> -v
It is expected the output message contains
SSL certificate verify ok
andHTTP/1.1 200 OK
. The Server certificate details in the output message are consistent with the newly generated certificate.What to do next?
You can add the Airgap Repository to VMware Telco Cloud Automation as mentioned in Add an Air Gap Repository. Only the generated Root CA certificate is required to be configured into the CA Certificate field.
If the Airgap appliance is already added to the VMware Telco Cloud Automation, and the Root CA certificate is regenerated, follow the instructions as mentioned in the Importing new Airgap Appliance CA Certificate to the TCA System.