You can replace your signed certificates when they expire or substitute the default certificates with CA-signed certificates.
When the TLS authentication certificates are used for the TLS authentication between collector-manager and remote collector manager are expired, then certificates can be regenerated using the following scripts.
You can generate the TLS authentication certificates when CA-signed certificates are available, and also when CA-signed certificates are not available.
Procedure
- When CA-signed server certificate, Server key, Client certificate, and Client key are available, update the remote Collector manager:
- Copy the server.key, server.crt, client.key, and client.crt files in the certificate directory of remote.usually $(pwd)/remote/certs directory.
- Update the remote collector manager using the update Remote Collector manager API of VMware Telco Cloud Service Assurance.
#!/bin/bash TCSA_URL=https://<TCSA_IP>:<TCSA_PORT> TCSA_USERNAME=<USERNAME> TCSA_PASSWORD=<PASSWORD> DC_NAME=<NAME OF DATACENTER> REMOTE_IP=<REMOTE_IP> client_key=$(base64 $(pwd)/remote/certs/client.key -w 0) client_certificate=$(base64 $(pwd)/remote/certs/client.crt -w 0) ca_cert=$(base64 $(pwd)/remote/certs/server.crt -w 0) access_token=$(curl -k --location --request POST $TCSA_URL/auth/realms/NGINX/protocol/openid-connect/token --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'client_id=operation-ui' --data-urlencode 'username='$TCSA_USERNAME --data-urlencode 'password='$TCSA_PASSWORD | sed "s/{.*\"access_token\":\"\([^\"]*\).*}/\1/g") response=$(curl -o /dev/null -w "%{http_code}" -k -X PUT $TCSA_URL/dcc/v1/remote/datacenters/${DC_NAME} -H "Content-Type: application/json" -H "Authorization: Bearer $access_token" -d "{\"client_key\":\"$client_key\",\"client_certificate\":\"$client_certificate\",\"ca_cert\":\"$ca_cert\", \"remote_ip\":\"$REMOTE_IP\"}") if [ $response -eq 200 ]; then echo "update Certificates Completed" docker restart collector-manager echo "restart collector-manager Completed" elif [ $response -eq 404 ];then echo "Error While Updating The certificats the Remote Collector Manager Not Found" else echo "Error While Updating the Certificats for the Remote Collector Manager" fi
- When CA-signed certificates are not available, then you can generate the self signed certificates using the following procedure:
- Generate CA private key:
openssl genrsa -out ca.key 2048
- Create self-signed CA certificate:
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
- Generate Server Private Key:
openssl genrsa -out server.key 2048
- Generate Certificate Signing Request (CSR) for the server:
openssl req -new -key server.key -out server.csr
- Sign the server certificate with the CA:
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
- Generate client private key:
openssl genrsa -out client.key 2048
- Generate Certificate Signing Request (CSR) for the client:
openssl req -new -key client.key -out client.csr
- Sign the client certificate with CA:
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
You can also generate the self signed certificates using the following script ( generate_tls_certificate.sh):#!/bin/bash # Set certificate subject information COUNTRY="<Country CODE>" STATE="<STATE>" CITY="<CITY>" ORGANIZATION="<ORG NAME>" COMMON_NAME="<REMOTE IP>" PASSWORD=password # Generate a CA key openssl genrsa -out ca.key 4096 # Generate a self-signed CA certificate openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME" -out ca.crt # Generate a server key openssl genrsa -out server.key 4096 # Generate a server signing request openssl req -new -key server.key -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME" -out server.csr -passin pass:$PASSWORD # Sign the server certificate with the CA openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile <(echo "subjectAltName = IP:$COMMON_NAME, DNS:$COMMON_NAME") # Generate a client key openssl genrsa -out client.key 4096 # Generate a client signing request openssl req -new -key client.key -subj "/C=$COUNTRY/ST=$STATE/L=$CITY/O=$ORGANIZATION/CN=$COMMON_NAME" -out client.csr -passin pass:$PASSWORD # Sign the client certificate with the CA openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
- Generate CA private key: