Since vSphere Bitfusion 4.5.2, by using CLI commands and the vSphere Bitfusion plug-in, you can renew the certificates for your vSphere Bitfusion servers and clients.

A certificate authority (CA) pair key is generated when the first virtual machine of a vSphere Bitfusion server joins a vSphere Bitfusion cluster. The certificate is responsible to authenticate all client to server, server to server, server to database, and database to database connections. All subsequent servers that join the cluster read the certificate and sign their pair keys in the CA on the primary server. To ensure redundancy, vSphere Bitfusion saves the certificate authority information in the Apache Cassandra database, for example, if the primary server fails.
Note: Since vSphere Bitfusion 4.5.2, the default expiration period of the certificates is extended to 20 years. For vSphere Bitfusion 4.5.1 and earlier, the certificates expire after one year.
To renew the certificates on your vSphere Bitfusion servers and clients, complete the following procedure.

Procedure

  1. Create server certificates.
    1. Open a terminal application and run the ssh customer@ip_address command, where ip_address is the IP address of your primary vSphere Bitfusion server.
      You can obtain the vSphere Bitfusion server IP address from the vSphere Bitfusion plug-in.
    2. Enter the customer password that you specified during the deployment of the primary vSphere Bitfusion server.
    3. To generate server certificates, run the sudo bitfusion tls-certs gen command.
      The ca.crt.xxx and ca.key.xxx certificate files are generated in the /etc/bitfusion/tls/ folder, where xxx is the filename suffix. For example, ca.key.20220408-202701 and ca.crt.20220408-202701.
  2. Copy the certificates from your primary vSphere Bitfusion server to all subsequent servers.
    1. From the primary vSphere Bitfusion server, copy the certificate files to your local machine by running the following command, where ip_address_primary is the IP addresses of your primary vSphere Bitfusion server and xxx is the filename suffix. 
      scp customer@ip_address_primary:ca.crt.xxx .
scp customer@ip_address_primary:ca.key.xxx .
    2. From your local machine, copy the certificate files from your local machine to a subsequent vSphere Bitfusion server by running the following command, where ip_address_subsequent is the IP addresses of your subsequent vSphere Bitfusion server and xxx is the filename suffix. 
      scp ca.crt.xxx customer@ip_address_subsequent:~/
scp ca.key.xxx customer@ip_address_subsequent:~/
  3. Import the certificate to all subsequent vSphere Bitfusion servers.
    1. Open a terminal application and run the ssh customer@ip_address command, where ip_address is the IP address of your subsequent vSphere Bitfusion server.
      You can obtain the vSphere Bitfusion server IP address from the vSphere Bitfusion Plug-in.
    2. Enter the customer password that you specified during the deployment of the subsequent vSphere Bitfusion server.
    3. To import the certificates, run the sudo bitfusion tls-certs import --cakeypath ca.key.xxx --cacertpath ca.crt.xxx, where ca.key.xxx and ca.crt.xxx are the files of the certificates, and xxx is the filename suffix.
      For example, run sudo bitfusion tls-certs import --cakeypath ca.key.20220408-202701 --cacertpath ca.crt.20220408-202701.
  4. Restart the vSphere Bitfusion service by running the sudo systemctl restart bitfusion command.
    You must restart the service on all vSphere Bitfusion servers in your cluster.
  5. Renew the client certificates.
    1. In the vSphere Client, select Menu (vSphere Client menu icon) > Bitfusion.
    2. On the Settings tab, expand Renew Client Certificates.
    3. Select Renew Certificates.
  6. If you installed a vSphere Bitfusion client on a bare metal machine, renew the certificates manually.
    In the following commands, ip_address_server is the IP address of your vSphere Bitfusion server, ip_address_client is the IP address of your vSphere Bitfusion client, and xxx is the filename suffix.
    1. From your local machine, copy the ca.crt.xxx file from a vSphere Bitfusion server to the client. 
      scp customer@ip_address_server:ca.crt.xxx .
scp ca.crt.xxx customer@ip_address_client:~/
    2. In the terminal of the client machine, move the ca.crt.xxx file to the /etc/bitfusion/tls/ folder. 
      ssh customer@ip_address_client "sudo chown bitfusion:bitfusion ca.crt.xxx; sudo chmod 640 ca.crt.xxx; sudo cp ca.crt.xxx /etc/bitfusion/tls/ca.crt"

Results

You renewed the certificates for all vSphere Bitfusion servers and clients in your cluster. The new certificates expire in 20 years.