Certificate maintenance

When client or server certificates expire, they need to be renewed.

Renew server certificates

Use the same commands that were used to create the initial key/certs:

  • xbusd key generate
  • xbusd cert generate server-ca [ --host-defs <server names/ips> ]
  • xbusd cert generate client-ca

After doing so, all the client certificates _must_ be renewed.

Renew client certificate

Reset the cert

The client certificate renewal must be initiated server-side, with xbusctl (or directly xbusd if no xbusctl can connect):

xbusctl account reset-cert <account name or id>

After running this command, the account state is back to PENDING, and both its certificate and CSR are reset.

Renew the CSR

The client utility (xbus-client or xbusctl ) can now provide a new CSR, and optionnaly renew its private key:

xbus-client renew-cert [ --newkey ]

Accept the new CSR

The administrator now has to accept the account to generate a new certificate:

xbusctl account accept <account name or id>

Install the new certificate

Finalize the operation by fetching and install the new certificate:

xbus-client register