Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2098
Views
0
Helpful
2
Replies

CMS Database Cluster Certificate Renewals

Go to solution
Stephen Carr
Level 1
Level 1

‎01-28-2019 11:47 AM - edited ‎03-18-2019 02:36 PM

It doesn't look like this has been answered so I'm going to post too in hopes someone knows..  Our dbcluster client certs are up for renewal. I've gone through the process to get newer certs (used the same private key etc) but am wondering what the steps are to use the new cert files. Do I need to break the cluster? Can I just disable the cluster service, add the new cert and re-enable on each server? If so, do I start with the master? There is absolutely no documentation that I can find on this site (or out in the ether) so it would be helpful for someone from Cisco to document this

thanks in advance

Steve 

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
maqsood ahmed
Level 1
Level 1

‎02-20-2019 01:14 AM

just i did it today ,  i will share my experience about renewing the database certificates , hope u pick some points:

 

I used the same old CSR  for both server and client certificate, it is a internal CA ,    the  new and updated  certificate file example:  CSR for server ,  CER for  client ,,  PEM file for  bundle ,, uploaded to CMS thru winscp ..on the CLI ,  i had to remove the cluster , "database cluster remove "  on the master database first ,,

then run command :  database cluster certs   s11.key  s11.CRT   C12.key  C12.CER   B13.pem  ,,

then  another command : database cluster initialize   only in  master database cms cli ...

then on client side ,,,u will load the certificate , then remove the cluster  and  then  JOIN  the cluster ,,,

remember ,,the  word  "postgres"  should be client certificate : CN  and optional SAN  field ..

 

before doing this backup u r cluster .... and  check the deployment guide as well ...

 

hope this helps ...

 

View solution in original post

0 Helpful
2 Replies 2

Go to solution
maqsood ahmed
Level 1
Level 1

‎02-20-2019 01:14 AM

just i did it today ,  i will share my experience about renewing the database certificates , hope u pick some points:

 

I used the same old CSR  for both server and client certificate, it is a internal CA ,    the  new and updated  certificate file example:  CSR for server ,  CER for  client ,,  PEM file for  bundle ,, uploaded to CMS thru winscp ..on the CLI ,  i had to remove the cluster , "database cluster remove "  on the master database first ,,

then run command :  database cluster certs   s11.key  s11.CRT   C12.key  C12.CER   B13.pem  ,,

then  another command : database cluster initialize   only in  master database cms cli ...

then on client side ,,,u will load the certificate , then remove the cluster  and  then  JOIN  the cluster ,,,

remember ,,the  word  "postgres"  should be client certificate : CN  and optional SAN  field ..

 

before doing this backup u r cluster .... and  check the deployment guide as well ...

 

hope this helps ...

 

0 Helpful

Go to solution
Stephen Carr
Level 1
Level 1
In response to maqsood ahmed

‎02-20-2019 07:51 AM

thanks for the response. I did finally go through the steps as you did (since there didn't seem to be any other way). the only thing I did different was remove the cluster from the two slave dbs first so did the master last. The cert stuff itself was pretty straight forward as I had done that before but was hoping there was a way to just "recycle" the cluster service with a new cert or something like that without tearing the whole thing down. Anyway, it ended up not being as scary as I thought it would. thanks again

Steve

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents