Skip to main content
Skip table of contents

CA Renewal keeping issued certificates valid

This article provides the step by step procedure of recreating the CA certificate used by the VeridiumID server.

1. Pre-requisites

1.1 Scripts and packages

The CA renewal procedure requires the following to be available:

  • VeridiumID Python 3.6.8 package

  • Latest Ansible scripts (at least VID 2.5.4)

All requirements are available in Nexus.

1.2 Backup existing configuration

The following commands must be run as root.

Make a backup of the following:

  • The current CA directory: /opt/veridiumid/CA (This is present on only a single node of the environment)

  • The current Zookeeper configuration:

    • On a Webapp node run the following command to make a backup of the existing Zookeeper configuration:

    • BASH
      /opt/veridiumid/websecadmin/bin/ -d PATH
      Where PATH is the location where the backup will be saved, for example: /home/veridiumid/zoo_bkp

1.3 Copy Ansible scripts (if not already present)

On the Ansible node for this environment copy the Ansible scripts and make the necessary configurations:

ANSIBLE_DIR is the directory where the Ansible scripts have been copied (for example: /home/veridiumid/vid_ansible)

  • Make sure that ANSIBLE_DIR/ansible.cfg is correctly configured

  • Check if inside the ANSIBLE_DIR exists a file named pass.txt containing the password used for the ansible-vault encryption

  • Create the environment’s inventory host file

    • Inventory file from environments_host has to be updated: sed -i "s|/opt/veridiumid/python/bin/python|/usr/bin/python3|g" inventory

  • Make sure that the veridiumid user can connect over SSH (using SSH keys) to all machines in the environment

  • In the ANSIBLE_DIR/mandatory_vars.yml modify the following values with the correct ones for the environment:




    • CA_CITY

    • CA_STATE

    • CA_EMAIL



    • CA_CN_NAME

1.4 Copy migration-tool.jar

On the node where the CA will be generated make sure that the migration-tool.jar is present.

If the node is a Webapp node then the migration-tool.jar will be present in the following path: /opt/veridiumid/websecadmin/tools.

Otherwise copy the following files from a Webapp node:


Location on Webapp machine




1.5 Stop services

The following commands must be run as root:

On Webapp nodes:

service ver_websecadmin stop
service ver_tomcat stop
service ver_notifications stop
service ver_freeradius stop
service ver_fido stop
service ver_selfservice stop
/opt/veridiumid/statistics/bin/ stop

On Datalayer nodes:

service ver_data_retention stop

2. Renew the CA certificate

On the Ansible node go to ANSIBLE_DIR and run the following commands as veridiumid:

# Generate the new CA
ansible-playbook -i environments_hosts/inventory site.yml --tag install-ca --extra-vars=@mandatory_vars.yml --extra-vars "component='all' operation='replace'"

# Generate the new truststores
ansible-playbook -i environments_hosts/inventory site.yml --tag install-ca --extra-vars=@mandatory_vars.yml --extra-vars "component='all' operation='replace-truststores'"

# Generate the new keystores
ansible-playbook -i environments_hosts/inventory site.yml --tag install-ca --extra-vars=@mandatory_vars.yml --extra-vars "component='all' operation='replace-keystores'"

# Recreate the MTLS certificates for Cassandra and Kafka
ansible-playbook -i environments_hosts/inventory site.yml --tag renew-certificates --extra-vars=@mandatory_vars.yml -e "template_input='root_ca_vars'"

3. Modify the Zookeeper configuration

To modify the Zookeeper configuration follow the steps presented in the following article: Modify the Zookeeper configuration after the CA renewall

4. Change HaProxy’s truststore file

Copy the following file from the node where the CA was generated to all HaProxy nodes, under /etc/veridiumid/haproxy:

  • /opt/veridiumid/CA/ROOT_CA/truststores/trust_root.pem

On each HaProxy node run the following commands as root:

# Go the the HaProxy config directory
cd /etc/veridiumid/haproxy

# Make a backup of the current truststore
mv client-ca.pem client-ca.pem_bkp

# Add the new truststore at the end of the current one (to allow both truststores to function in parallel)
cp trust_root.pem client_ca.pem

# Check the current HaProxy configuration
/opt/veridiumid/haproxy/sbin/haproxy -c -V -f haproxy.cfg

# Restart the HaProxy service
service ver_haproxy restart

5. Restart services

Run the following commands as root:

# On Webapp nodes
service ver_websecadmin start
service ver_tomcat start
service ver_notifications start
/opt/veridiumid/statistics/bin/ start
service ver_fido start
service ver_selfservice start

# On Datalayer nodes
service ver_data_retention start

6. Renew certificates (optional step)

To renew all certificates (admin, friend, default) follow the steps presented in the following article: Renew certificates

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.