Renew the self-signed TLS certificate

This procedure describes how to replace an expired self-signed TLS certificate by generating a new certificate that is based on the existing (stock) server key.

Before you begin

When you generate a self-signed certificate, you must provide information about your organization. It is a good idea to determine this information in advance, before you begin the process. See the TLS certificate data example section of this chapter for details and examples of the required information.
Note Image

This procedure requires you to restart the isi_webui service, which restarts the web administration interface. Therefore, it is recommended that you perform these steps during a scheduled maintenance window.

Procedure

  1. Open a secure shell (SSH) connection to any node in the cluster and log in as root.
  2. Create a backup directory by running the following command:
    mkdir /ifs/data/backup/
  3. Set the permissions on the backup directory to 700:
    chmod 700 /ifs/data/backup
  4. Make backup copies of the existing server.crt and server.key files by running the following two commands:
    cp /usr/local/apache2/conf/ssl.crt/server.crt \
    /ifs/data/backup.bak
    cp /usr/local/apache2/conf/ssl.key/server.key \
    /ifs/data/backup.bak
    Note Image

    If files with the same names exist in the backup directory, either overwrite the existing files, or, to save the old backups, rename the new files with a timestamp or other identifier.

  5. Create a working directory to hold the files while you complete this procedure:
    mkdir /ifs/local/
  6. Set the permissions on the working directory to 700:
    chmod 700 /ifs/local
  7. Change to the working directory:
    cd /ifs/local/
  8. At the command prompt, run the following two commands to create a certificate that will expire in 2 years (730 days). Increase or decrease the value for -days to generate a certificate with a different expiration date.
    cp /usr/local/apache2/conf/ssl.key/server.key ./
    openssl req -new -days 730 -nodes -x509 -key \
    server.key -out server.crt
  9. When prompted, type the information to be incorporated into the certificate request.
    When you finish entering the information, a renewal certificate is created, based on the existing (stock) server key. The renewal certificate is named server.crt and it appears in the /ifs/local directory.
  10. Optional: To verify the attributes in the TLS certificate, run the following command:
    openssl x509 -text -noout -in server.crt
  11. Run the following five commands to install the certificate and key, and restart the isi_webui service:
    isi services -a isi_webui disable 
    chmod 640 server.key 
    isi_for_array -s 'cp /ifs/local/server.key \
    /usr/local/apache2/conf/ssl.key/server.key'
    isi_for_array -s 'cp /ifs/local/server.crt \
    /usr/local/apache2/conf/ssl.crt/server.crt' 
    isi services -a isi_webui enable 
  12. Verify that the installation succeeded. For instructions, see the Verify a TLS certificate update section of this guide.
  13. Delete the temporary working files from the /ifs/local directory:
    rm /ifs/local/<common-name>.csr \
    /ifs/local/<common-name>.key /ifs/local/<common-name>.crt
  14. (Optional) Delete the backup files from the /ifs/data/backup directory:
    rm /ifs/data/backup/server.crt.bak \
    /ifs/data/backup/server.key.bak