Certificate maintenance
=======================

When client or server certificates expire, they need to be renewed.

.. _administration-certificate-renew-server-certificates:

Renew server certificates
-------------------------

Use the same commands that were used to create the initial key/certs:

- ``xbusd key generate``
- ``xbusd cert generate server-ca [ --host-defs <server names/ips> ]``
- ``xbusd cert generate client-ca``
- **Restart xbusd**

After doing so, all the client certificates _must_ be renewed.

Renew client certificate
------------------------

Reset the cert
~~~~~~~~~~~~~~

The client certificate renewal must be initiated server-side, with ``xbusctl``
(or directly ``xbusd`` if no xbusctl can connect):

.. code-block:: bash

    xbusctl account reset-cert <account name or id>

After running this command, the account state is back to ``PENDING``, and both
its certificate and CSR are reset.

Renew the CSR
~~~~~~~~~~~~~

The client utility (``xbus-client`` or ``xbusctl`` ) can now provide a new CSR,
and optionnaly renew its private key:

.. code-block:: bash

    xbus-client renew-cert [ --newkey ]

Accept the new CSR
~~~~~~~~~~~~~~~~~~

The administrator now has to accept the account to generate a new certificate:

.. code-block:: bash

    xbusctl account accept <account name or id>

Install the new certificate
~~~~~~~~~~~~~~~~~~~~~~~~~~~

Finalize the operation by fetching and install the new certificate:

.. code-block:: bash

    xbus-client register