When you generate a self-signed certificate, you must provide information about your organization. It is a good idea to determine this information in advance, before you begin the process. See the TLS certificate data example section of this chapter for details and examples of the required information.
Before you begin
This procedure requires you to restart the isi_webui service, which restarts the web administration interface. Therefore, it is recommended that you perform these steps during a scheduled maintenance window.
- Open a secure shell (SSH) connection to any node in the cluster and log in as root.
- Create a backup directory by running the following command:
- Set the permissions on the backup directory to 700:
chmod 700 /ifs/data/backup
- Make backup copies of the existing
server.key files by running the following two commands:
cp /usr/local/apache2/conf/ssl.crt/server.crt \ /ifs/data/backup.bak
cp /usr/local/apache2/conf/ssl.key/server.key \ /ifs/data/backup.bakIf files with the same names exist in the backup directory, either overwrite the existing files, or, to save the old backups, rename the new files with a timestamp or other identifier.
- Create a working directory to hold the files while you complete this procedure:
- Set the permissions on the working directory to 700:
chmod 700 /ifs/local
- Change to the working directory:
- At the command prompt, run the following two commands to create a certificate that will expire in 2 years (730 days). Increase or decrease the value for
-days to generate a certificate with a different expiration date.
cp /usr/local/apache2/conf/ssl.key/server.key ./
openssl req -new -days 730 -nodes -x509 -key \ server.key -out server.crt
- When prompted, type the information to be incorporated into the certificate request.
When you finish entering the information, a renewal certificate is created, based on the existing (stock) server key. The renewal certificate is named server.crt and it appears in the /ifs/local directory.
- Optional: To verify the attributes in the TLS certificate, run the following command:
openssl x509 -text -noout -in server.crt
- Run the following five commands to install the certificate and key, and restart the isi_webui service:
isi services -a isi_webui disable
chmod 640 server.key
isi_for_array -s 'cp /ifs/local/server.key \ /usr/local/apache2/conf/ssl.key/server.key'
isi_for_array -s 'cp /ifs/local/server.crt \ /usr/local/apache2/conf/ssl.crt/server.crt'
isi services -a isi_webui enable
- Verify that the installation succeeded. For instructions, see the Verify a TLS certificate update section of this guide.
- Delete the temporary working files from the
rm /ifs/local/<common-name>.csr \ /ifs/local/<common-name>.key /ifs/local/<common-name>.crt
- (Optional) Delete the backup files from the
rm /ifs/data/backup/server.crt.bak \ /ifs/data/backup/server.key.bak