8 Managing TLS/SSL certificates #
8.1 Regenerating HTTPS certificates #
HTTPS certificates should be regenerated before they expire or to include additional common alternative names. No additional actions are required on the client machines registered to RMT server if only HTTPS certificates are regenerated.
Stop nginx and rmt-server services:
#
systemctl stop nginx
#
systemctl stop rmt-server
Remove previously generated certificates.
#
rm /etc/rmt/ssl/rmt-server.*
Run the
yast rmt
module as described in Section 2.4, “RMT configuration with YaST”.
8.2 Regenerating CA certificates and HTTPS certificates #
CA certificates can be regenerated after they have expired or in case of security issues.
The newly generated CA certificate must be imported on all clients
registered to the RMT server. This can be done by running the
rmt-client-setup
script on the client machines
as described in Section 5.3, “Configuring clients with rmt-client-setup
”.
Stop nginx and rmt-server services.
#
systemctl stop nginx
#
systemctl stop rmt-server
Remove previously generated CA and HTTPS certificates.
#
rm /etc/rmt/ssl/rmt-ca.*
#
rm /etc/rmt/ssl/rmt-server.*
Run the
yast rmt
module as described in Section 2.4, “RMT configuration with YaST”.