Certificate management#
This section contains additional instructions/guides related to certificate management in Scrutinizer.
On this page:
For further information or assistance with these functions, contact Plixer Technical Support.
Certificate rotation and regeneration#
The following certificate rotation utilities can be run to re-issue certificates and keys to address database communication issues:
Utility syntax and details
scrut_util --rotatecerts [--days <DAYS>] [--reset] [--verbose]
|
Regenerates all certificates on all nodes, including any ML engines, with an optional expiration of the number of If the |
scrut_util --nginxcerts [--days <DAYS>] [--csr] [--verbose]
|
Regenerates the web server certificate and key with an optional expiration of the number of The |
SCRUTINIZER> set ssl on
|
Generates a new self-signed certificate ( The provided syntax must be run from the SCRUTINIZER> prompt. To run the command directly from the shell, use
|
scrut_util --mlcerts --ip <IP_ADDRESS> [--days <DAYS>] [--install] [--verbose]
|
Regenerates TLS certificates and private keys on the Plixer ML Engine node with the specified If the |
scrut_util --pgcerts [--days <DAYS>] [--reset] [--verbose]
|
Regenerates all certificates used for PostgreSQL connections on all nodes with an optional expiration of the number of If the |
Note
The optional
DAYSflag can be used to set an expiration date for the certificate(s) regenerated by each utility. Once they expire, the same command can be run again to re-issue certificates with new expiry dates.With the exception of
set ssl on, the above commands cannot be run from theSCRUTINIZER>prompt.
Wildcard certificates#
If a signed wildcard certificate and key were generated with a passphrase, the passphrase must be removed from the private key to allow Scrutinizer to use the pair.
Copy the private key file (
*.key) to/etc/pki/tls/private/.Re-generate the key without a passphrase (replace
ORIGINALwith the filename of the key):openssl rsa -in /etc/pki/tls/private/ORIGINAL.key -out /etc/pki/tls/private/new.key
When prompted, enter the passphrase used for the original key.
This will create a new, unencrypted key named new.key in /etc/pki/tls/private/, which must be renamed to ca.key. If the key pair was originally created without a passphrase, it need only be renamed after being copied into the correct directory.
Full chain certificates#
A full chain certificate or chain of trust can be created as follows:
Create the file
ca_chain.crtunder/etc/pki/tls/CA/.Copy the contents of the intermediate CA
.crtfile intoca_chain.crt.Copy the contents of the root CA
.crtfile intoca_chain.crt(after the intermediate CA).Set
ssl_certificatesetting in/etc/nginx/webapp.d/inc/ssl.conf:ssl_certificate /etc/pkl/tls/CA/ca_chain.crt
Restart the web server:
sudo systemctl restart plixer_webapp
After the restart, the full chain certificate will be in use.
Distributed cluster certificates#
To generate CSRs and install the signed keys for a distributed cluster, run the following scripts:
Note
These scripts should be run from the distributed cluster’s primary reporter as the
plixeruser and rely on Scrutinizer’s default SSH connectivity.scrut_util --rotatecerts --reset(see above) can be used if either of these scripts causes unexpected issues or DB connection errors. However, any existing signed certificates will be lost.
/home/plixer/scrutinizer/files/generate_requests.sh
|
Generates certificate signing requests (CSRs) for all TLS keys in a distributed cluster CSRs are saved to subdirectories in |
/home/plixer/scrutinizer/files/install_certs.sh
|
Installs signed TLS certificates to all nodes in a distributed cluster
|