Certificates Maintenance
Certificates Maintenance
Overview
Certificates used by application have expiration date. They should be re-created and updated before this date. Maintenance of certificates is responsibility of the system administrator.
CA certificate renewal
Before CA certificate renewal it should be replaced in advance. In case of self-generated CA it should be re-generated. In case of provided CA it should be downloaded from CA provider. All server certificated should be re-generated after CA update.
With given new CA (ca.crt) do the following steps:
Update JKS with new CA:
keytool -J-Dkeystore.pkcs12.legacy -import -alias easyrpa-root-new -keystore /opt/rpaplatform/cert/rpa-trust.jks -file ./ca.crt -storepass $(cat /opt/rpaplatform/cert/pass-p12.txt) -noprompt -trustcacerts -deststoretype pkcs12
Copy new CA:
cp ./ca.crt /opt/rpaplatform/cert/ca.crt
Server certificate renewal
Common approach for certificate renewal:
- Get new server public certificate depending on certificate type.
Update server certificate (server.crt) in following locations
cp ./server.crt /opt/rpaplatform/cert/server.crt
Re-generate certificate bundle
cat /opt/rpaplatform/cert/ca.crt /opt/rpaplatform/cert/server.crt > /opt/rpaplatform/cert/server-imt.crt
- Restart platform
Platform automatic script for certificate renewal
After platform v.3.3.0 there is a rpaplatform-utils.sh script file in the CS installation directory, that automatically renews all platfrom certificate files.