CA Renewal keeping issued certificates valid
This article provides the step by step procedure of recreating the CA certificate used by the VeridiumID server.
1. Pre-requisites
1.1 Scripts and packages
The CA renewal procedure requires the following to be available:
VeridiumID Python 3.6.8 package
Latest Ansible scripts (at least VID 2.5.4)
All requirements are available in Nexus.
1.2 Backup existing configuration
The following commands must be run as root.
Make a backup of the following:
The current CA directory: /opt/veridiumid/CA (This is present on only a single node of the environment)
The current Zookeeper configuration:
On a Webapp node run the following command to make a backup of the existing Zookeeper configuration:
- BASH
/opt/veridiumid/websecadmin/bin/migration.sh -d PATH Where PATH is the location where the backup will be saved, for example: /home/veridiumid/zoo_bkp
1.3 Copy Ansible scripts (if not already present)
On the Ansible node for this environment copy the Ansible scripts and make the necessary configurations:
ANSIBLE_DIR is the directory where the Ansible scripts have been copied (for example: /home/veridiumid/vid_ansible)
Make sure that ANSIBLE_DIR/ansible.cfg is correctly configured
Check if inside the ANSIBLE_DIR exists a file named pass.txt containing the password used for the ansible-vault encryption
Create the environment’s inventory host file
Inventory file from environments_host has to be updated: sed -i "s|/opt/veridiumid/python/bin/python|/usr/bin/python3|g" inventory
Make sure that the veridiumid user can connect over SSH (using SSH keys) to all machines in the environment
In the ANSIBLE_DIR/mandatory_vars.yml modify the following values with the correct ones for the environment:
ENVIRONMENT
DOMAIN_NAME
CA_COUNTRY
CA_CITY
CA_STATE
CA_EMAIL
CA_ORG_UNIT
CA_ORGANISATION
CA_CN_NAME
1.4 Copy migration-tool.jar
On the node where the CA will be generated make sure that the migration-tool.jar is present.
If the node is a Webapp node then the migration-tool.jar will be present in the following path: /opt/veridiumid/websecadmin/tools.
Otherwise copy the following files from a Webapp node:
File | Location on Webapp machine |
---|---|
migration-tool.jar | /opt/veridiumid/websecadmin/tools |
migration_log4j.properties | /opt/veridiumid/websecadmin/conf |
1.5 Stop services
The following commands must be run as root:
On Webapp nodes:
service ver_websecadmin stop
service ver_tomcat stop
service ver_notifications stop
service ver_freeradius stop
service ver_fido stop
service ver_selfservice stop
/opt/veridiumid/statistics/bin/statistics-manager.sh stop
On Datalayer nodes:
service ver_data_retention stop
2. Renew the CA certificate
On the Ansible node go to ANSIBLE_DIR and run the following commands as veridiumid:
# Generate the new CA
ansible-playbook -i environments_hosts/inventory site.yml --tag install-ca --extra-vars=@mandatory_vars.yml --extra-vars "component='all' operation='replace'"
# Generate the new truststores
ansible-playbook -i environments_hosts/inventory site.yml --tag install-ca --extra-vars=@mandatory_vars.yml --extra-vars "component='all' operation='replace-truststores'"
# Generate the new keystores
ansible-playbook -i environments_hosts/inventory site.yml --tag install-ca --extra-vars=@mandatory_vars.yml --extra-vars "component='all' operation='replace-keystores'"
# Recreate the MTLS certificates for Cassandra and Kafka
ansible-playbook -i environments_hosts/inventory site.yml --tag renew-certificates --extra-vars=@mandatory_vars.yml -e "template_input='root_ca_vars'"
3. Modify the Zookeeper configuration
To modify the Zookeeper configuration follow the steps presented in the following article: Modify the Zookeeper configuration after the CA renewall
4. Change HaProxy’s truststore file
Copy the following file from the node where the CA was generated to all HaProxy nodes, under /etc/veridiumid/haproxy:
/opt/veridiumid/CA/ROOT_CA/truststores/trust_root.pem
On each HaProxy node run the following commands as root:
# Go the the HaProxy config directory
cd /etc/veridiumid/haproxy
# Make a backup of the current truststore
mv client-ca.pem client-ca.pem_bkp
# Add the new truststore at the end of the current one (to allow both truststores to function in parallel)
cp trust_root.pem client_ca.pem
# Check the current HaProxy configuration
/opt/veridiumid/haproxy/sbin/haproxy -c -V -f haproxy.cfg
# Restart the HaProxy service
service ver_haproxy restart
5. Restart services
Run the following commands as root:
# On Webapp nodes
service ver_websecadmin start
service ver_tomcat start
service ver_notifications start
/opt/veridiumid/statistics/bin/statistics-manager.sh start
service ver_fido start
service ver_selfservice start
# On Datalayer nodes
service ver_data_retention start
6. Renew certificates (optional step)
To renew all certificates (admin, friend, default) follow the steps presented in the following article: Renew certificates