Skip to main content
Version: 3.8.x.x LTS

Re-create nevisAdmin 3 CA

This chapter explains how to re-create the nevisAdmin 3 CA.

You should re-create the CA when:

  • it is expired (check neviskeybox list -slot default on a target server), or
  • it has been created with nevisAdmin version 3.1.3 or older. Since nevisAdmin version 3.1.4, the CA certificate has the proper extensions.
Important

Renewing the CA is a complex process and can be time consuming. Create a backup of nevisAdmin 3 first, e.g., create a snapshot of the VM.

nevisAdmin CA

  1. First, shut down nevisAdmin with the following command:

    nevisadmin stop
    Important

    nevisAdmin stores the repository when you shut down. Never edit the repository files without shutting down nevisAdmin first!

  2. Remove the exsting CA:

    rm /var/opt/nevisadmin/default/nevisadmin/repository/cert/ca_*
    rm /var/opt/nevisadmin/default/nevisadmin/repository/cert/nevisadmin_*
  3. Edit the following configuration file:

    /var/opt/nevisadmin/default/nevisadmin/repository/cert/ca.properties
    initialized=false
  4. Start nevisAdmin again:

    nevisadmin start
  5. Login as admin user and go to the Administration tab, Key managementview:

    The Key management view in the Administration tab
  6. Adapt the settings as required. Click Generate.

Key material

Note that existing key material is not re-generated automatically.

Infrastructure

Note, that you have to perform the instructions in the following sections for each server.

Server

  1. In the Infrastructure tab, go to the relevant server.

  2. Open the Key Management panel.

  3. Click the button Generate keypair and server certificate signed by internal nevisAdmin CA.

    The Key Management panel of the relevant server

nevisAgent

The key material that nevisAdmin uses to connect to nevisAgent is configured in the file domain.xml: /var/opt/nevisadmin/default/nevisadmin/config/domain.xml

See also the next sample code:

<jvm-options>-Dch.nevis.nevisadmin.ssl.keyStore=/var/opt/nevisadmin/default/nevisadmin/repository/cert/nevisadmin_keystore.jks</jvm-options>
<jvm-options>-Dch.nevis.nevisadmin.ssl.keyStorePassword=/var/opt/nevisadmin/default/nevisadmin/repository/cert/nevisadmin_keypass</jvm-options>
  1. In the Infrastructure tab, go to the relevant nevisAgent instance (see also the next figure).

  2. Open the Key Material panel.

  3. Click the button (Re)generate:

    The Key Material panel
  4. Copy the generated key material to the target server.

    1. To find the path where to store the key material, run the next command:
    nevisagent config vmargs

Environment

Note that you have to perform the instructions in the following sections for each environment.

Realm

  1. In the Configuration tab, go to the Key management view of the relevant environment (see the next figure).
  2. Click Destroy to delete the existing signer certificate(s) (panel Destroy Authsigner Keystore).
  3. In the panel Generate Authsigner Keystore, enter a common name (CN) in the field authSigner certificate common name (CN). Click Generate.
  4. Assign the signer certificate using drag-and-drop.
The Key management view in the Configuration tab

nevisProxy service

Service certificates used by nevisProxy should have been signed by an external CA. Thus, these certificates should not be renewed.