You can replace your signed certificates when they expire or substitute the default certificates with CA-signed certificates.

When the TLS authentication certificates are used for the TLS authentication between collector-manager and remote collector manager are expired, then certificates can be regenerated using the following scripts.

You can generate the TLS authentication certificates when CA-signed certificates are available, and also when CA-signed certificates are not available.

Procedure

  1. When CA-signed server certificate, Server key, Client certificate, and Client key are available, update the remote Collector manager:
    1. Copy the server.key, server.crt, client.key, and client.crt files in the certificate directory of remote.usually $(pwd)/remote/certs directory.
    2. Update the remote collector manager using the update Remote Collector manager API of VMware Telco Cloud Service Assurance.
      #!/bin/bash
      TCSA_URL=https://<TCSA_IP>:<TCSA_PORT>
      TCSA_USERNAME=<USERNAME>
      TCSA_PASSWORD=<PASSWORD>
      DC_NAME=<NAME OF DATACENTER>
      REMOTE_IP=<REMOTE_IP>
      client_key=$(base64 $(pwd)/remote/certs/client.key -w 0)
      client_certificate=$(base64 $(pwd)/remote/certs/client.crt -w 0)
      ca_cert=$(base64 $(pwd)/remote/certs/server.crt -w 0)
      access_token=$(curl -k --location --request POST $TCSA_URL/auth/realms/NGINX/protocol/openid-connect/token --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'client_id=operation-ui' --data-urlencode 'username='$TCSA_USERNAME --data-urlencode 'password='$TCSA_PASSWORD | sed "s/{.*\"access_token\":\"\([^\"]*\).*}/\1/g")
      response=$(curl  -o /dev/null -w "%{http_code}" -k -X PUT $TCSA_URL/dcc/v1/remote/datacenters/${DC_NAME} -H "Content-Type: application/json" -H "Authorization: Bearer $access_token"  -d "{\"client_key\":\"$client_key\",\"client_certificate\":\"$client_certificate\",\"ca_cert\":\"$ca_cert\", \"remote_ip\":\"$REMOTE_IP\"}")
      if [ $response -eq 200 ]; then
         echo "update Certificates Completed"
         docker restart collector-manager
         echo "restart collector-manager Completed"
      elif [ $response -eq 404 ];then
         echo "Error While Updating The certificats the Remote Collector Manager Not Found"
      else
         echo "Error While Updating the Certificats for the Remote Collector Manager"
      fi
  2. When CA-signed certificates are not available, then you can generate the self signed certificates using the following procedure:
    1. Generate CA private key:
      openssl genrsa -out ca.key 2048
    2. Create self-signed CA certificate:
      openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    3. Generate Server Private Key:
      openssl genrsa -out server.key 2048
    4. Generate Certificate Signing Request (CSR) for the server:
      openssl req -new -key server.key -out server.csr
    5. Sign the server certificate with the CA:
      openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
    6. Generate client private key:
      openssl genrsa -out client.key 2048
    7. Generate Certificate Signing Request (CSR) for the client:
      openssl req -new -key client.key -out client.csr
    8. Sign the client certificate with CA:
      openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
    You can also generate the self signed certificates using the following script ( generate_tls_certificate.sh):
    #!/bin/bash
     
    # Set certificate subject information
    COUNTRY="<Country CODE>"
    STATE="<STATE>"
    CITY="<CITY>"
    ORGANIZATION="<ORG NAME>"
    COMMON_NAME="<REMOTE IP>"
    PASSWORD=password
    # Generate a CA key
    openssl genrsa -out ca.key 4096
     
    # Generate a self-signed CA certificate
    openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME" -out ca.crt
     
    # Generate a server key
    openssl genrsa -out server.key 4096
     
    # Generate a server signing request
    openssl req -new -key server.key -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME" -out server.csr -passin pass:$PASSWORD
     
    # Sign the server certificate with the CA
    openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile <(echo "subjectAltName = IP:$COMMON_NAME, DNS:$COMMON_NAME")
    # Generate a client key
    openssl genrsa -out client.key 4096
     
    # Generate a client signing request
    openssl req -new -key client.key -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME" -out client.csr -passin pass:$PASSWORD
     
    # Sign the client certificate with the CA
    openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256